Low severity vulnerability on-headers CVE-2025-7339 through serve

[MikeMcC399]

Situation

npm audit reports low severity vulnerabilities CVE-2025-7339 using on-headers < 1.1.0

Steps to reproduce

git clone https://github.com/cypress-io/cypress-example-kitchensink
cd cypress-example-kitchensink
npm install
npm audit fix

Logs

$ npm audit
# npm audit report

on-headers  <1.1.0
on-headers is vulnerable to http response header manipulation - https://github.com/advisories/GHSA-76c9-3jph-rj3q
fix available via `npm audit fix --force`
Will install serve@10.0.2, which is a breaking change
node_modules/on-headers
  compression  1.0.3 - 1.8.0
  Depends on vulnerable versions of on-headers
  node_modules/compression
    serve  >=10.1.0
    Depends on vulnerable versions of compression
    node_modules/serve

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

$ npm ls on-headers
cypress-example-kitchensink@0.0.0-development
└─┬ serve@14.2.4
  └─┬ compression@1.7.4
    └── on-headers@1.0.2

Assessment

on-headers@1.0.2 is a transitive dependency of serve@14.2.4 (current latest) and the vulnerability cannot be fixed with npm audit fix or by uninstalling and re-installing serve:

• The issue has been reported in Low severity vulnerability in on-headers@1.0.2 CVE-2025-7339 vercel/serve#825 and is awaiting action on PR chore(deps): update compression to v1.8.1 vercel/serve#824 Edit: now fixed

[MikeMcC399]

• This issue is resolved through PR fix(deps): update serve to 14.2.5 #988

[cypress-app-bot]

🎉 This issue has been resolved in version 5.1.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀