If you discover a security vulnerability, please report it by emailing security@codeforamerica.org rather than opening a public issue.
Status: Accepted risk Date: 2026-02-02
The newman package (Postman CLI for API testing) has several known vulnerabilities in its dependencies:
| Package | Severity | Advisory |
|---|---|---|
| jose | moderate | GHSA-hhhv-q57g-882q |
| lodash | moderate | GHSA-xxjr-mmjv-4gpg |
| node-forge | high | GHSA-554w-wpv2-vw27 |
| qs | high | GHSA-6rw7-vpxm-498p |
Why we accept this risk:
- These are dev dependencies only - they are not included in any production builds or runtime code
- Newman is used solely for integration testing during development
- The vulnerabilities require specifically crafted malicious input to exploit
- The upstream maintainers (Postman) have not yet released patches
- Forcing dependency overrides may break newman's functionality
Mitigation:
- Newman is not used in production environments
- Test inputs are controlled and not from untrusted sources
- We will update when patches become available upstream
To check current status:
npm audit