diff --git a/.pnp.cjs b/.pnp.cjs
index 73a92f923b..6abc9e071b 100644
--- a/.pnp.cjs
+++ b/.pnp.cjs
@@ -1285,6 +1285,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-jest", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:26.9.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["express", "npm:4.21.0"],\
           ["express-static-gzip", "npm:2.1.8"],\
           ["fast-json-patch", "npm:3.1.1"],\
@@ -1368,6 +1369,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-import-newlines", "virtual:8d919ffb8fd728f827df3f6a566e8e923223ffcec68f7450d83bbbc2dc25d6b8c987e111cbab484b209f253bdf2f2e00663b01a986262c44511128466462a76f#npm:1.4.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["eslint-plugin-vitest", "virtual:8d919ffb8fd728f827df3f6a566e8e923223ffcec68f7450d83bbbc2dc25d6b8c987e111cbab484b209f253bdf2f2e00663b01a986262c44511128466462a76f#npm:0.4.1"],\
           ["eslint-plugin-vue", "virtual:8d919ffb8fd728f827df3f6a566e8e923223ffcec68f7450d83bbbc2dc25d6b8c987e111cbab484b209f253bdf2f2e00663b01a986262c44511128466462a76f#npm:9.28.0"],\
           ["eventemitter3", "npm:5.0.1"],\
@@ -1424,6 +1426,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-jest", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:26.9.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["express", "npm:4.21.0"],\
           ["http-errors", "npm:2.0.0"],\
           ["jest", "virtual:f3f18773c1f2811e8d448670abfc3fed18cdffc11b444f7cbc3548ae5868e74f3c4ee449327c1fc9c24ce0732ee02505411a07539789bec8257188d17bbada1f#npm:29.7.0"],\
@@ -1449,6 +1452,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-jest", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:26.9.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["gtoken", "npm:7.1.0"],\
           ["jest", "virtual:f3f18773c1f2811e8d448670abfc3fed18cdffc11b444f7cbc3548ae5868e74f3c4ee449327c1fc9c24ce0732ee02505411a07539789bec8257188d17bbada1f#npm:29.7.0"],\
           ["js-yaml", "npm:4.1.0"],\
@@ -1469,6 +1473,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-jest", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:26.9.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["jest", "virtual:f3f18773c1f2811e8d448670abfc3fed18cdffc11b444f7cbc3548ae5868e74f3c4ee449327c1fc9c24ce0732ee02505411a07539789bec8257188d17bbada1f#npm:29.7.0"],\
           ["jest-date-mock", "npm:1.0.10"]\
         ],\
@@ -1487,6 +1492,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-jest", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:26.9.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["express", "npm:4.21.0"],\
           ["http-errors", "npm:2.0.0"],\
           ["jest", "virtual:f3f18773c1f2811e8d448670abfc3fed18cdffc11b444f7cbc3548ae5868e74f3c4ee449327c1fc9c24ce0732ee02505411a07539789bec8257188d17bbada1f#npm:29.7.0"],\
@@ -1511,6 +1517,7 @@ const RAW_RUNTIME_STATE =
           ["eslint-plugin-jest", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:26.9.0"],\
           ["eslint-plugin-n", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:15.7.0"],\
           ["eslint-plugin-promise", "virtual:feaa032e1ffbff8da5dad8429b8494744ade8373389ef8e26f3d1f1980ceff327ab996fdc7c1977df285edeb918372fa01d7c87d79c9d7218f8701c70203bfe5#npm:6.6.0"],\
+          ["eslint-plugin-security", "npm:3.0.1"],\
           ["http-errors", "npm:2.0.0"],\
           ["jest", "virtual:f3f18773c1f2811e8d448670abfc3fed18cdffc11b444f7cbc3548ae5868e74f3c4ee449327c1fc9c24ce0732ee02505411a07539789bec8257188d17bbada1f#npm:29.7.0"],\
           ["lodash", "npm:4.17.21"],\
@@ -6055,6 +6062,16 @@ const RAW_RUNTIME_STATE =
         "linkType": "HARD"\
       }]\
     ]],\
+    ["eslint-plugin-security", [\
+      ["npm:3.0.1", {\
+        "packageLocation": "./.yarn/cache/eslint-plugin-security-npm-3.0.1-c5165134bf-6b85feabe3.zip/node_modules/eslint-plugin-security/",\
+        "packageDependencies": [\
+          ["eslint-plugin-security", "npm:3.0.1"],\
+          ["safe-regex", "npm:2.1.1"]\
+        ],\
+        "linkType": "HARD"\
+      }]\
+    ]],\
     ["eslint-plugin-vitest", [\
       ["npm:0.4.1", {\
         "packageLocation": "./.yarn/cache/eslint-plugin-vitest-npm-0.4.1-77fbd88a02-d06a7efec2.zip/node_modules/eslint-plugin-vitest/",\
@@ -10205,6 +10222,15 @@ const RAW_RUNTIME_STATE =
         "linkType": "HARD"\
       }]\
     ]],\
+    ["regexp-tree", [\
+      ["npm:0.1.27", {\
+        "packageLocation": "./.yarn/cache/regexp-tree-npm-0.1.27-e0324e6a9c-f636f44b4a.zip/node_modules/regexp-tree/",\
+        "packageDependencies": [\
+          ["regexp-tree", "npm:0.1.27"]\
+        ],\
+        "linkType": "HARD"\
+      }]\
+    ]],\
     ["regexp.prototype.flags", [\
       ["npm:1.5.2", {\
         "packageLocation": "./.yarn/cache/regexp.prototype.flags-npm-1.5.2-a44e05d7d9-0f3fc4f580.zip/node_modules/regexp.prototype.flags/",\
@@ -10474,6 +10500,16 @@ const RAW_RUNTIME_STATE =
         "linkType": "HARD"\
       }]\
     ]],\
+    ["safe-regex", [\
+      ["npm:2.1.1", {\
+        "packageLocation": "./.yarn/cache/safe-regex-npm-2.1.1-4438cded67-53eb5d3ecf.zip/node_modules/safe-regex/",\
+        "packageDependencies": [\
+          ["safe-regex", "npm:2.1.1"],\
+          ["regexp-tree", "npm:0.1.27"]\
+        ],\
+        "linkType": "HARD"\
+      }]\
+    ]],\
     ["safe-regex-test", [\
       ["npm:1.0.3", {\
         "packageLocation": "./.yarn/cache/safe-regex-test-npm-1.0.3-97fe5cc608-900bf7c98d.zip/node_modules/safe-regex-test/",\
diff --git a/.yarn/cache/eslint-plugin-security-npm-3.0.1-c5165134bf-6b85feabe3.zip b/.yarn/cache/eslint-plugin-security-npm-3.0.1-c5165134bf-6b85feabe3.zip
new file mode 100644
index 0000000000..0fe59aba08
Binary files /dev/null and b/.yarn/cache/eslint-plugin-security-npm-3.0.1-c5165134bf-6b85feabe3.zip differ
diff --git a/.yarn/cache/regexp-tree-npm-0.1.27-e0324e6a9c-f636f44b4a.zip b/.yarn/cache/regexp-tree-npm-0.1.27-e0324e6a9c-f636f44b4a.zip
new file mode 100644
index 0000000000..b3d9f6388a
Binary files /dev/null and b/.yarn/cache/regexp-tree-npm-0.1.27-e0324e6a9c-f636f44b4a.zip differ
diff --git a/.yarn/cache/safe-regex-npm-2.1.1-4438cded67-53eb5d3ecf.zip b/.yarn/cache/safe-regex-npm-2.1.1-4438cded67-53eb5d3ecf.zip
new file mode 100644
index 0000000000..35177266a3
Binary files /dev/null and b/.yarn/cache/safe-regex-npm-2.1.1-4438cded67-53eb5d3ecf.zip differ
diff --git a/backend/lib/app.js b/backend/lib/app.js
index e578f5f6a2..7f820ba9e9 100644
--- a/backend/lib/app.js
+++ b/backend/lib/app.js
@@ -23,6 +23,12 @@ const { healthCheck } = require('./healthz')
 const { port, metricsPort } = config
 const periodSeconds = config.readinessProbe?.periodSeconds || 10
 
+// protect against Prototype Pollution vulnerabilities
+for (const ctor of [Object, Function, Array, String, Number, Boolean]) {
+  Object.freeze(ctor)
+  Object.freeze(ctor.prototype)
+}
+
 // resolve pathnames
 const PUBLIC_DIRNAME = resolve(join(__dirname, '..', 'public'))
 const INDEX_FILENAME = join(PUBLIC_DIRNAME, 'index.html')
diff --git a/backend/lib/cache/tickets.js b/backend/lib/cache/tickets.js
index a25411a382..13bf0178aa 100644
--- a/backend/lib/cache/tickets.js
+++ b/backend/lib/cache/tickets.js
@@ -9,8 +9,8 @@ const _ = require('lodash')
 const logger = require('../logger')
 
 function init () {
-  const issues = {}
-  const commentsForIssues = {} // we could also think of getting rid of the comments cache
+  const issues = new Map()
+  const commentsForIssues = new Map() // we could also think of getting rid of the comments cache
   const emitter = new EventEmitter()
 
   function on (eventName, listener) {
@@ -38,15 +38,16 @@ function init () {
   }
 
   function getIssues () {
-    return _.values(issues)
+    return Array.from(issues.values())
   }
 
   function getCommentsForIssue ({ issueNumber }) {
-    return _.values(getCommentsForIssueCache({ issueNumber }))
+    const comments = getCommentsForIssueCache({ issueNumber })
+    return Array.from(comments.values())
   }
 
   function getIssue (number) {
-    return issues[number]
+    return issues.get(number)
   }
 
   function getIssueNumbers () {
@@ -62,23 +63,25 @@ function init () {
   }
 
   function getCommentsForIssueCache ({ issueNumber }) {
-    if (!commentsForIssues[issueNumber]) {
-      commentsForIssues[issueNumber] = {}
+    if (!commentsForIssues.has(issueNumber)) {
+      commentsForIssues.set(issueNumber, new Map())
     }
-    return commentsForIssues[issueNumber]
+    return commentsForIssues.get(issueNumber)
   }
 
   function addOrUpdateIssues ({ issues }) {
-    _.forEach(issues, issue => addOrUpdateIssue({ issue }))
+    for (const issue of issues) {
+      addOrUpdateIssue({ issue })
+    }
   }
 
   function addOrUpdateIssue ({ issue }) {
-    updateIfNewer('issue', issues, issue, 'number')
+    updateIfNewer('issue', issues, issue)
   }
 
   function addOrUpdateComment ({ issueNumber, comment }) {
     const comments = getCommentsForIssueCache({ issueNumber })
-    updateIfNewer('comment', comments, comment, 'id')
+    updateIfNewer('comment', comments, comment)
   }
 
   function removeIssue ({ issue }) {
@@ -87,29 +90,33 @@ function init () {
 
     const comments = getCommentsForIssueCache({ issueNumber })
 
-    _.unset(issues, issueNumber)
-    _.unset(commentsForIssues, issueNumber)
+    issues.delete(issueNumber)
+    commentsForIssues.delete(issueNumber)
 
     emitIssueDeleted(issue)
-    _.forEach(comments, emitCommmentDeleted)
+    for (const comment of comments.values()) {
+      emitCommmentDeleted(comment)
+    }
   }
 
   function removeComment ({ issueNumber, comment }) {
     const identifier = comment.metadata.id
     logger.trace('removing comment', identifier, 'of issue', issueNumber)
     const commentsForIssuesCache = getCommentsForIssueCache({ issueNumber })
-    _.unset(commentsForIssuesCache, identifier)
+    commentsForIssuesCache.delete(identifier)
     emitCommmentDeleted(comment)
   }
 
-  function updateIfNewer (kind, cachedList, item, itemIdentifier) {
-    const identifier = item.metadata[itemIdentifier]
-    const cachedItem = cachedList[identifier]
+  function updateIfNewer (kind, cachedMap, item) {
+    const identifier = kind === 'issue'
+      ? item.metadata.number
+      : item.metadata.id
+    const cachedItem = cachedMap.get(identifier)
     if (cachedItem) {
       if (isCachedItemOlder(cachedItem, item)) {
         if (!_.isEqual(cachedItem, item)) {
           logger.trace('updating', kind, identifier)
-          cachedList[identifier] = item
+          cachedMap.set(identifier, item)
           emitModified(kind, item)
         }
       } else {
@@ -117,7 +124,7 @@ function init () {
       }
     } else {
       logger.trace('adding new', kind, identifier)
-      cachedList[identifier] = item
+      cachedMap.set(identifier, item)
       emitAdded(kind, item)
     }
     return item
diff --git a/backend/lib/config/gardener.js b/backend/lib/config/gardener.js
index 093579b370..1be47f2fa6 100644
--- a/backend/lib/config/gardener.js
+++ b/backend/lib/config/gardener.js
@@ -131,30 +131,22 @@ function parseConfigValue (value, type) {
   }
 }
 
-function getValueFromFile (filePath, type) {
-  try {
-    const value = fs.readFileSync(filePath, 'utf8')
-    return parseConfigValue(value, type)
-  } catch (error) {
-    return undefined
-  }
-}
-
-function getValueFromEnvironmentOrFile (env, environmentVariableName, filePath, type) {
-  const value = parseConfigValue(env[environmentVariableName], type)
-  if (value !== undefined) {
-    return value
-  }
-
-  if (filePath) {
-    return getValueFromFile(filePath, type)
-  }
-}
-
 module.exports = {
   assignConfigFromEnvironmentAndFileSystem (config, env) {
-    for (const { environmentVariableName, configPath, filePath, type = 'String' } of configMappings) {
-      const value = getValueFromEnvironmentOrFile(env, environmentVariableName, filePath, type)
+    for (const configMapping of configMappings) {
+      const {
+        environmentVariableName,
+        configPath,
+        filePath,
+        type = 'String'
+      } = configMapping
+      let rawValue = env[environmentVariableName] // eslint-disable-line security/detect-object-injection
+      if (!rawValue && filePath) {
+        try {
+          rawValue = fs.readFileSync(filePath, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
+        } catch (err) { /* ignore error */ }
+      }
+      const value = parseConfigValue(rawValue, type)
 
       if (value !== undefined) {
         _.set(config, configPath, value)
@@ -224,6 +216,7 @@ module.exports = {
     return config
   },
   readConfig (path) {
-    return yaml.load(fs.readFileSync(path, 'utf8'))
+    const data = fs.readFileSync(path, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
+    return yaml.load(data)
   }
 }
diff --git a/backend/lib/hooks.js b/backend/lib/hooks.js
index e9b68edeac..a89626972d 100644
--- a/backend/lib/hooks.js
+++ b/backend/lib/hooks.js
@@ -50,11 +50,12 @@ class LifecycleHooks {
     this.io = io(server, cache)
     // register watches
     for (const [key, watch] of Object.entries(watches)) {
-      if (informers[key]) {
+      const informer = informers[key] // eslint-disable-line security/detect-object-injection
+      if (informer) {
         if (key === 'leases') {
-          watch(this.io, informers[key], { signal: this.ac.signal })
+          watch(this.io, informer, { signal: this.ac.signal })
         } else {
-          watch(this.io, informers[key])
+          watch(this.io, informer)
         }
       }
     }
diff --git a/backend/lib/middleware.js b/backend/lib/middleware.js
index 541f451849..5a4a7cba27 100644
--- a/backend/lib/middleware.js
+++ b/backend/lib/middleware.js
@@ -55,10 +55,10 @@ function errorToLocals (err, req) {
     ? { name, stack }
     : { name }
   let code = 500
-  let reason = STATUS_CODES[code]
+  let reason = _.get(STATUS_CODES, [code])
   if (isHttpError(err)) {
     code = err.statusCode
-    reason = STATUS_CODES[code]
+    reason = _.get(STATUS_CODES, [code])
   }
   if (code < 100 || code >= 600) {
     code = 500
diff --git a/backend/lib/routes/config.js b/backend/lib/routes/config.js
index c9c6734318..38bf74a398 100644
--- a/backend/lib/routes/config.js
+++ b/backend/lib/routes/config.js
@@ -41,8 +41,9 @@ router.route('/')
 function sanitizeFrontendConfig (frontendConfig) {
   const converter = markdown.createConverter()
   const convertAndSanitize = (obj, key) => {
-    if (obj[key]) {
-      obj[key] = converter.makeSanitizedHtml(obj[key])
+    const value = obj[key] // eslint-disable-line security/detect-object-injection -- key is a local fixed string
+    if (value) {
+      obj[key] = converter.makeSanitizedHtml(value) // eslint-disable-line security/detect-object-injection -- key is a local fixed string
     }
   }
 
diff --git a/backend/lib/routes/terminals.js b/backend/lib/routes/terminals.js
index 104e5f0298..344bd5da82 100644
--- a/backend/lib/routes/terminals.js
+++ b/backend/lib/routes/terminals.js
@@ -8,7 +8,6 @@
 
 const express = require('express')
 const { terminals, authorization } = require('../services')
-const _ = require('lodash')
 const { UnprocessableEntity } = require('http-errors')
 const { metricsRoute } = require('../middleware')
 
@@ -41,10 +40,33 @@ router.route('/')
 
       const { method, params: body } = req.body
 
-      if (!_.includes(['create', 'fetch', 'list', 'config', 'remove', 'heartbeat', 'listProjectTerminalShortcuts'], method)) {
-        throw new UnprocessableEntity(`${method} not allowed for terminals`)
+      let terminalOperation
+      switch (method) {
+        case 'create':
+          terminalOperation = terminals.create
+          break
+        case 'fetch':
+          terminalOperation = terminals.fetch
+          break
+        case 'list':
+          terminalOperation = terminals.list
+          break
+        case 'config':
+          terminalOperation = terminals.config
+          break
+        case 'remove':
+          terminalOperation = terminals.remove
+          break
+        case 'heartbeat':
+          terminalOperation = terminals.heartbeat
+          break
+        case 'listProjectTerminalShortcuts':
+          terminalOperation = terminals.listProjectTerminalShortcuts
+          break
+        default:
+          throw new UnprocessableEntity(`${method} not allowed for terminals`)
       }
-      res.send(await terminals[method]({ user, body }))
+      res.send(await terminalOperation.call(terminals, { user, body }))
     } catch (err) {
       next(err)
     }
diff --git a/backend/lib/security/index.js b/backend/lib/security/index.js
index 658f97103e..b25735185c 100644
--- a/backend/lib/security/index.js
+++ b/backend/lib/security/index.js
@@ -280,9 +280,9 @@ async function authorizationCallback (req, res) {
     secure: true,
     path: '/'
   }
-  const stateObject = {}
+  let stateObject = {}
   if (COOKIE_STATE in req.cookies) {
-    Object.assign(stateObject, req.cookies[COOKIE_STATE])
+    stateObject = req.cookies[COOKIE_STATE] // eslint-disable-line security/detect-object-injection -- COOKIE_STATE is a constant
     res.clearCookie(COOKIE_STATE, options)
   }
   const {
@@ -299,7 +299,7 @@ async function authorizationCallback (req, res) {
     state
   }
   if (COOKIE_CODE_VERIFIER in req.cookies) {
-    checks.code_verifier = req.cookies[COOKIE_CODE_VERIFIER]
+    checks.code_verifier = req.cookies[COOKIE_CODE_VERIFIER] // eslint-disable-line security/detect-object-injection -- COOKIE_CODE_VERIFIER is a constant
     res.clearCookie(COOKIE_CODE_VERIFIER, options)
   }
   const tokenSet = await authorizationCodeExchange(backendRedirectUri, parameters, checks)
@@ -316,8 +316,9 @@ function isXmlHttpRequest ({ headers = {} }) {
 }
 
 function getAccessToken (cookies) {
-  const [header, payload] = split(cookies[COOKIE_HEADER_PAYLOAD], '.')
-  const signature = cookies[COOKIE_SIGNATURE]
+  const headerAndPayload = cookies[COOKIE_HEADER_PAYLOAD] // eslint-disable-line security/detect-object-injection -- COOKIE_HEADER_PAYLOAD is a constant
+  const [header, payload] = split(headerAndPayload, '.')
+  const signature = cookies[COOKIE_SIGNATURE] // eslint-disable-line security/detect-object-injection -- COOKIE_SIGNATURE is a constant
   if (header && payload && signature) {
     return join([header, payload, signature], '.')
   }
@@ -360,7 +361,7 @@ function csrfProtection (req) {
 
 async function getTokenSet (cookies) {
   const accessToken = getAccessToken(cookies)
-  const encryptedValues = cookies[COOKIE_TOKEN]
+  const encryptedValues = cookies[COOKIE_TOKEN] // eslint-disable-line security/detect-object-injection -- COOKIE_TOKEN is a constant
   if (!encryptedValues) {
     throw createError(401, 'No bearer token found in request', { code: 'ERR_JWE_NOT_FOUND' })
   }
diff --git a/backend/lib/services/members/Member.js b/backend/lib/services/members/Member.js
index 0929a1a557..32c85a61e9 100644
--- a/backend/lib/services/members/Member.js
+++ b/backend/lib/services/members/Member.js
@@ -8,7 +8,14 @@
 
 const { pick } = require('lodash')
 
-const PROPERTY_NAMES = ['createdBy', 'creationTimestamp', 'deletionTimestamp', 'description', 'kubeconfig', 'orphaned']
+const PROPERTY_NAMES = Object.freeze([
+  'createdBy',
+  'creationTimestamp',
+  'deletionTimestamp',
+  'description',
+  'kubeconfig',
+  'orphaned'
+])
 
 class Member {
   constructor (username, { roles, extensions } = {}) {
@@ -32,6 +39,10 @@ class Member {
       name: username
     }
   }
+
+  static get allowedExtensionProperties () {
+    return PROPERTY_NAMES
+  }
 }
 
 module.exports = Member
diff --git a/backend/lib/services/members/SubjectList.js b/backend/lib/services/members/SubjectList.js
index 8c1799e3cd..caf3280cf3 100644
--- a/backend/lib/services/members/SubjectList.js
+++ b/backend/lib/services/members/SubjectList.js
@@ -50,30 +50,43 @@ class SubjectList {
       const id = item.id
       if (_.startsWith(id, `system:serviceaccount:${namespace}:`)) {
         const extensions = {}
-        if (serviceAccountItems[id]) {
-          _.assign(extensions, serviceAccountItems[id].extensions)
-          delete serviceAccountItems[id]
+        const serviceAccountItem = serviceAccountItemMap.get(id)
+        if (serviceAccountItem) {
+          Object.assign(extensions, serviceAccountItem.extensions)
+          serviceAccountItemMap.delete(id)
         } else {
-          _.set(extensions, 'orphaned', true)
+          extensions.orphaned = true
         }
         item.extend(extensions)
       }
     }
 
-    const serviceAccountItems = _
+    const toMap = obj => new Map(Object.entries(obj))
+
+    const serviceAccountItemMap = _
       .chain(serviceAccounts)
       .map(createServiceAccountItem)
       .keyBy('id')
+      .thru(toMap)
       .value()
 
-    this.subjectListItems = _
+    const subjectListItemMap = _
       .chain(subjects)
       .map(createItem)
       .groupBy('id')
       .mapValues(createGroup)
       .forEach(extendItem)
-      .assign(serviceAccountItems)
+      .thru(toMap)
       .value()
+
+    this.subjectListItemMap = new Map([
+      ...subjectListItemMap,
+      ...serviceAccountItemMap
+    ])
+  }
+
+  get subjectListItems () {
+    return Object.fromEntries(this.subjectListItemMap)
   }
 
   get subjects () {
@@ -96,19 +109,19 @@ class SubjectList {
   }
 
   get (id) {
-    return this.subjectListItems[id]
+    return this.subjectListItemMap.get(id)
   }
 
   set (id, item) {
-    this.subjectListItems[id] = item
+    this.subjectListItemMap.set(id, item)
   }
 
   delete (id) {
-    delete this.subjectListItems[id]
+    this.subjectListItemMap.delete(id)
   }
 
   has (id) {
-    return !!this.subjectListItems[id]
+    return this.subjectListItemMap.has(id)
   }
 }
 
diff --git a/backend/lib/services/members/SubjectListItem.js b/backend/lib/services/members/SubjectListItem.js
index df14be53f4..037ae7b10d 100644
--- a/backend/lib/services/members/SubjectListItem.js
+++ b/backend/lib/services/members/SubjectListItem.js
@@ -10,6 +10,11 @@ const _ = require('lodash')
 
 const Member = require('./Member')
 
+const allowedExtensionProperties = Object.freeze([
+  ...Member.allowedExtensionProperties,
+  'secrets'
+])
+
 class SubjectListItem {
   constructor (index = SubjectListItem.NOT_IN_LIST) {
     this.index = index
@@ -32,7 +37,7 @@ class SubjectListItem {
 
   extend (obj) {
     const before = _.cloneDeep(this.extensions)
-    const after = _.assign(this.extensions, obj)
+    const after = _.assign(this.extensions, _.pick(obj, allowedExtensionProperties))
     return !_.isEqual(before, after)
   }
 
diff --git a/backend/lib/services/shoots.js b/backend/lib/services/shoots.js
index 5bb1b8a2c2..60020a475d 100644
--- a/backend/lib/services/shoots.js
+++ b/backend/lib/services/shoots.js
@@ -47,12 +47,24 @@ exports.list = async function ({ user, namespace, labelSelector }) {
         .filter(projectFilter(user, false))
         .map('spec.namespace')
         .value()
-      const statuses = await Promise.allSettled(namespaces.map(namespace => authorization.canListShoots(user, namespace)))
+
+      const results = await Promise.allSettled(namespaces.map(async namespace => {
+        const allowed = await authorization.canListShoots(user, namespace)
+        return [namespace, allowed]
+      }))
+
+      const allowedNamespaceMap = _
+        .chain(results)
+        .filter(['status', 'fulfilled'])
+        .map('value')
+        .thru(value => new Map(value))
+        .value()
+
       return {
         apiVersion: 'v1',
         kind: 'List',
         items: namespaces
-          .filter((_, i) => statuses[i].status === 'fulfilled' && statuses[i].value)
+          .filter(namespace => allowedNamespaceMap.get(namespace))
           .flatMap(namespace => cache.getShoots(namespace, query))
       }
     }
@@ -340,7 +352,7 @@ exports.info = async function ({ user, namespace, name }) {
         if (key === 'kubeconfig') {
           try {
             const kubeconfigObject = cleanKubeconfig(value)
-            data[key] = kubeconfigObject.toYAML()
+            data.kubeconfig = kubeconfigObject.toYAML()
           } catch (err) {
             logger.error('failed to clean kubeconfig', err)
           }
diff --git a/backend/lib/services/terminals/index.js b/backend/lib/services/terminals/index.js
index 851ce25b6e..f2f02922e4 100644
--- a/backend/lib/services/terminals/index.js
+++ b/backend/lib/services/terminals/index.js
@@ -102,7 +102,7 @@ function findImageDescription (containerImage, containerImageDescriptions) {
     .find(({ image }) => {
       if (_.startsWith(image, '/') && _.endsWith(image, '/')) {
         image = image.substring(1, image.length - 1)
-        return new RegExp(image).test(containerImage)
+        return new RegExp(image).test(containerImage) // eslint-disable-line security/detect-non-literal-regexp
       }
       return image === containerImage
     })
diff --git a/backend/lib/utils/index.js b/backend/lib/utils/index.js
index e96b9aa947..d3375646d6 100644
--- a/backend/lib/utils/index.js
+++ b/backend/lib/utils/index.js
@@ -113,20 +113,63 @@ function trimProject (project) {
   return project
 }
 
+function parseSelector (selector = '') {
+  let notOperator
+  let key
+  let operator
+  let value = ''
+
+  if (selector.startsWith('!')) {
+    notOperator = '!'
+    selector = selector.slice(1)
+  }
+
+  const index = selector.search(/[=!]/)
+  if (index !== -1) {
+    key = selector.slice(0, index)
+    const remainingPart = selector.slice(index)
+    if (remainingPart.startsWith('==')) {
+      operator = '=='
+      value = remainingPart.slice(2)
+    } else if (remainingPart.startsWith('=')) {
+      operator = '='
+      value = remainingPart.slice(1)
+    } else if (remainingPart.startsWith('!=')) {
+      operator = '!='
+      value = remainingPart.slice(2)
+    } else {
+      operator = ''
+      value = remainingPart
+    }
+  } else {
+    key = selector
+  }
+
+  const isValidPart = part => /^[a-zA-Z0-9._/-]*$/.test(part)
+
+  if (!isValidPart(key) || !isValidPart(value)) {
+    return
+  }
+
+  if (notOperator) {
+    if (!operator) {
+      return { op: NOT_EXISTS, key }
+    }
+  } else if (!operator) {
+    return { op: EXISTS, key }
+  } else if (operator === '!=') {
+    return { op: NOT_EQUAL, key, value }
+  } else if (operator === '=' || operator === '==') {
+    return { op: EQUAL, key, value }
+  }
+}
+
 function parseSelectors (selectors) {
   const items = []
   for (const selector of selectors) {
-    const [, notOperator, key, operator, value = ''] = /^(!)?([a-zA-Z0-9._/-]+)(=|==|!=)?([a-zA-Z0-9._-]+)?$/.exec(selector) ?? []
-    if (notOperator) {
-      if (!operator) {
-        items.push({ op: NOT_EXISTS, key })
-      }
-    } else if (!operator) {
-      items.push({ op: EXISTS, key })
-    } else if (operator === '!=') {
-      items.push({ op: NOT_EQUAL, key, value })
-    } else if (operator === '=' || operator === '==') {
-      items.push({ op: EQUAL, key, value })
+    const item = parseSelector(selector)
+    if (item) {
+      items.push(item)
     }
   }
   return items
@@ -136,7 +179,7 @@ function filterBySelectors (selectors) {
   return item => {
     const labels = item.metadata.labels ?? {}
     for (const { op, key, value } of selectors) {
-      const labelValue = labels[key] ?? ''
+      const labelValue = _.get(labels, [key], '')
       switch (op) {
         case NOT_EXISTS: {
           if (key in labels) {
diff --git a/backend/package.json b/backend/package.json
index acee9ab7ff..df0c39a77d 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -82,6 +82,7 @@
     "eslint-plugin-jest": "^26.9.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "fast-json-patch": "^3.1.1",
     "jest": "^29.7.0",
     "p-event": "^4.2.0",
@@ -100,6 +101,7 @@
     ],
     "extends": [
       "standard",
+      "plugin:security/recommended-legacy",
       "plugin:jest/recommended"
     ],
     "globals": {
@@ -117,7 +119,21 @@
     "overrides": [
       {
         "files": [
-          "**/__tests__/*.js",
+          "**/__fixtures__/**",
+          "**/__mocks__/**",
+          "**/__tests__/**",
+          "**/test/**",
+          "jest.setup.js"
+        ],
+        "rules": {
+          "security/detect-object-injection": "off",
+          "security/detect-possible-timing-attacks": "off",
+          "security/detect-unsafe-regex": "off"
+        }
+      },
+      {
+        "files": [
+          "**/__tests__/**",
           "**/test/**/*.spec.js"
         ],
         "env": {
diff --git a/frontend/.eslintrc.cjs b/frontend/.eslintrc.cjs
index 1da1401246..3c902d68ad 100644
--- a/frontend/.eslintrc.cjs
+++ b/frontend/.eslintrc.cjs
@@ -17,6 +17,7 @@ module.exports = {
   extends: [
     'eslint:recommended',
     'standard',
+    'plugin:security/recommended-legacy',
     'plugin:vue/vue3-recommended',
     'plugin:vitest/recommended',
   ],
@@ -101,4 +102,19 @@ module.exports = {
     'vue/require-default-prop': 'off',
     'vue/order-in-components': 'error',
   },
+  overrides: [
+    {
+      files: [
+        '**/__fixtures__/**',
+        '**/__mocks__/**',
+        '**/__tests__/**',
+        'vite.config.js',
+      ],
+      rules: {
+        'security/detect-object-injection': 'off',
+        'security/detect-non-literal-fs-filename': 'off',
+        'security/detect-unsafe-regex': 'off',
+      },
+    },
+  ],
 }
diff --git a/frontend/__tests__/utils/hibernationSchedule.spec.js b/frontend/__tests__/utils/hibernationSchedule.spec.js
index 98192d4bbc..d974fef567 100644
--- a/frontend/__tests__/utils/hibernationSchedule.spec.js
+++ b/frontend/__tests__/utils/hibernationSchedule.spec.js
@@ -5,6 +5,7 @@
 //
 
 import {
+  parseCronExpression,
   scheduleEventsFromCrontabBlock,
   crontabBlocksFromScheduleEvents,
 } from '@/utils/hibernationSchedule'
@@ -14,6 +15,28 @@ const currentLocation = moment.tz.guess()
 
 describe('utils', () => {
   describe('hibernationSchedule', () => {
+    describe('#parseCronExpression', () => {
+      it('should parse a crontab expressions', () => {
+        expect(parseCronExpression('0 8 * * 1')).toEqual({
+          hour: '8',
+          minute: '0',
+          weekdays: '1',
+        })
+        expect(parseCronExpression('00 12 * * 1,2,3,4,5').weekdays).toBe('1,2,3,4,5')
+        expect(parseCronExpression('00 12 * * MON,TUE,WED,THU,FRI').weekdays).toBe('1,2,3,4,5')
+        expect(parseCronExpression('00 12 * * 1-5').weekdays).toBe('1,2,3,4,5')
+        expect(parseCronExpression('00 12 * * 7').weekdays).toBe('0')
+        expect(parseCronExpression('00 12 * * *').weekdays).toBe('1,2,3,4,5,6,0')
+        expect(parseCronExpression('00 12 * * SAT,SUN').weekdays).toBe('6,0')
+      })
+
+      it('should fail to parse a crontab expressions', () => {
+        expect(parseCronExpression('00 12 * * FR')).toBeUndefined()
+        expect(parseCronExpression('00 12 * * 8')).toBeUndefined()
+        expect(parseCronExpression('00 12 0 * 1')).toBeUndefined()
+        expect(parseCronExpression('00 12 * 0 1')).toBeUndefined()
+      })
+    })
     describe('#scheduleEventsFromCrontabBlock', () => {
       it('should parse a simple crontab block', () => {
         const crontabBlock = {
diff --git a/frontend/__tests__/utils/index.spec.js b/frontend/__tests__/utils/index.spec.js
index 856d475cfc..7fcc543e73 100644
--- a/frontend/__tests__/utils/index.spec.js
+++ b/frontend/__tests__/utils/index.spec.js
@@ -16,6 +16,7 @@ import {
   getTimeStringFrom,
   parseNumberWithMagnitudeSuffix,
   normalizeVersion,
+  isEmail,
 } from '@/utils'
 
 import {
@@ -471,6 +472,29 @@ describe('utils', () => {
     })
   })
 
+  describe('isEmail', () => {
+    it('should return true for valid emails', () => {
+      expect(isEmail('a@b.de')).toBe(true)
+      expect(isEmail('a@b.a.r.com')).toBe(true)
+      expect(isEmail('abcdefghijklmnopqrstuvwxyz0123456789.!#$%&’*+/=?^_`{|}~-@bar.com')).toBe(true)
+    })
+
+    it('should return false for valid emails', () => {
+      expect(isEmail(undefined)).toBe(false)
+      expect(isEmail('')).toBe(false)
+      expect(isEmail('a'.repeat(321))).toBe(false)
+      expect(isEmail('bar.com')).toBe(false)
+      expect(isEmail('a@b@bar.com')).toBe(false)
+      expect(isEmail('a@b@bar.com')).toBe(false)
+      expect(isEmail('@bar.com')).toBe(false)
+      expect(isEmail('a@bar')).toBe(false)
+      expect(isEmail('<a>@bar.com')).toBe(false)
+      expect(isEmail('a@bar.c')).toBe(false)
+      expect(isEmail('a@bar..com')).toBe(false)
+      expect(isEmail('abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789@bar.com')).toBe(false)
+    })
+  })
+
   describe('normalizeVersion', () => {
     it('should fill missing segments', () => {
       expect(normalizeVersion('1.12')).toBe('1.12.0')
diff --git a/frontend/package.json b/frontend/package.json
index 3a8aad9626..082a325458 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -87,6 +87,7 @@
     "eslint-plugin-import-newlines": "^1.4.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "eslint-plugin-vitest": "^0.4.0",
     "eslint-plugin-vue": "^9.23.0",
     "jsdom": "^25.0.0",
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index 69cf43ebbd..a2994b84ef 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -33,6 +33,8 @@ import { useProjectStore } from '@/store/project'
 
 import { useCustomColors } from '@/composables/useCustomColors'
 
+import { get } from '@/lodash'
+
 const theme = useTheme()
 const route = useRoute()
 const localStorageStore = useLocalStorageStore()
@@ -62,7 +64,9 @@ const { system } = useColorMode({
   },
 })
 
-provide('getColorCode', value => theme.current.value?.colors[value])
+provide('getColorCode', value => {
+  return get(theme.current.value, ['colors', value])
+})
 
 const bus = useEventBus('esc-pressed')
 
diff --git a/frontend/src/components/GMainNavigation.vue b/frontend/src/components/GMainNavigation.vue
index 0055641622..cffc8ac2f4 100644
--- a/frontend/src/components/GMainNavigation.vue
+++ b/frontend/src/components/GMainNavigation.vue
@@ -491,7 +491,7 @@ function highlightProjectWithKeys (keyDirection) {
     currentHighlightedIndex++
   }
 
-  const newHighlightedProject = sortedAndFilteredProjectList.value[currentHighlightedIndex]
+  const newHighlightedProject = sortedAndFilteredProjectList.value[currentHighlightedIndex] // eslint-disable-line security/detect-object-injection
   highlightedProjectName.value = newHighlightedProject.metadata.name
 
   if (currentHighlightedIndex >= numberOfVisibleProjects.value - 1) {
diff --git a/frontend/src/components/GPositionalDropzone.vue b/frontend/src/components/GPositionalDropzone.vue
index 347b608e85..7024cc13c1 100644
--- a/frontend/src/components/GPositionalDropzone.vue
+++ b/frontend/src/components/GPositionalDropzone.vue
@@ -188,10 +188,12 @@ export default {
   },
   methods: {
     fillOnPosition (position) {
-      return this.mouseDown ? this.rect[position] : undefined
+      const { [position]: value } = this.rect
+      return this.mouseDown ? value : undefined
     },
     strokeRectOnPosition (position) {
-      return this.mouseDown ? this.strokeRect[position] : undefined
+      const { [position]: value } = this.strokeRect
+      return this.mouseDown ? value : undefined
     },
     dragOver ({ detail: { mouseOverId: position } }) {
       this.showIt = true
@@ -199,13 +201,9 @@ export default {
         return
       }
       this.mouseDown = true
-      const newRect = {}
-      newRect[position] = '#d71e00'
-      this.rect = newRect
+      this.rect = { [position]: '#d71e00' }
 
-      const newStrokeRect = {}
-      newStrokeRect[position] = '#fff'
-      this.strokeRect = newStrokeRect
+      this.strokeRect = { [position]: '#fff' }
       this.currentPosition = position
     },
     dragLeaveZone () {
diff --git a/frontend/src/components/GShootSubscriptionStatus.vue b/frontend/src/components/GShootSubscriptionStatus.vue
index da70b32ced..9bd6fd1466 100644
--- a/frontend/src/components/GShootSubscriptionStatus.vue
+++ b/frontend/src/components/GShootSubscriptionStatus.vue
@@ -125,7 +125,7 @@ const components = {
 }
 
 function resolveComponent (name) {
-  return components[name]
+  return components[name] // eslint-disable-line security/detect-object-injection
 }
 
 const {
diff --git a/frontend/src/components/GTerminal.vue b/frontend/src/components/GTerminal.vue
index 76318ebbe7..580b5805f0 100644
--- a/frontend/src/components/GTerminal.vue
+++ b/frontend/src/components/GTerminal.vue
@@ -601,7 +601,7 @@ export default {
       this.$emit('terminated')
     },
     async configure (refName) {
-      this.loading[refName] = true
+      this.loading[refName] = true // eslint-disable-line security/detect-object-injection
       const { namespace, name, target } = this.data
       try {
         const { data: config } = await this.api.terminalConfig({ name, namespace, target })
@@ -610,7 +610,7 @@ export default {
       } catch (err) {
         this.showErrorSnackbarBottom(get(err, 'response.data.message', err.message))
       } finally {
-        this.loading[refName] = false
+        this.loading[refName] = false // eslint-disable-line security/detect-object-injection
       }
 
       const initialState = {
diff --git a/frontend/src/components/Secrets/GSecretDialogDDns.vue b/frontend/src/components/Secrets/GSecretDialogDDns.vue
index 210569b3bb..41bfe77758 100644
--- a/frontend/src/components/Secrets/GSecretDialogDDns.vue
+++ b/frontend/src/components/Secrets/GSecretDialogDDns.vue
@@ -182,7 +182,10 @@ export default {
       zone: withFieldName('Zone', {
         required,
         format: withMessage('Must be fully qualified', value => {
-          return /^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*\.$/.test(value)
+          if (typeof value !== 'string' || value.length > 255) {
+            return false
+          }
+          return /^[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*\.$/.test(value) // eslint-disable-line security/detect-unsafe-regex
         }),
       }),
     }
diff --git a/frontend/src/components/ShootAccessRestrictions/GAccessRestrictions.vue b/frontend/src/components/ShootAccessRestrictions/GAccessRestrictions.vue
index e076774826..f329ef3fab 100644
--- a/frontend/src/components/ShootAccessRestrictions/GAccessRestrictions.vue
+++ b/frontend/src/components/ShootAccessRestrictions/GAccessRestrictions.vue
@@ -97,7 +97,7 @@ const {
 
 function getDisabled (key) {
   const value = getAccessRestrictionValue(key)
-  const { input } = accessRestrictionDefinitions.value[key]
+  const { input } = accessRestrictionDefinitions.value[key] // eslint-disable-line security/detect-object-injection
   const inverted = !!input?.inverted
   return !NAND(value, inverted)
 }
diff --git a/frontend/src/components/ShootAddons/GManageAddons.vue b/frontend/src/components/ShootAddons/GManageAddons.vue
index f93e943627..a7e6d05574 100644
--- a/frontend/src/components/ShootAddons/GManageAddons.vue
+++ b/frontend/src/components/ShootAddons/GManageAddons.vue
@@ -65,7 +65,7 @@ const {
 } = useShootContext()
 
 function getDisabledForbidden (name) {
-  const { forbidDisable = false } = addonDefinitions.value[name]
+  const { forbidDisable = false } = addonDefinitions.value[name] // eslint-disable-line security/detect-object-injection
   return !props.createMode && forbidDisable && getAddonEnabled(name)
 }
 
diff --git a/frontend/src/components/ShootDetails/GGardenctlCommands.vue b/frontend/src/components/ShootDetails/GGardenctlCommands.vue
index 08817f1c37..eca6be1f43 100644
--- a/frontend/src/components/ShootDetails/GGardenctlCommands.vue
+++ b/frontend/src/components/ShootDetails/GGardenctlCommands.vue
@@ -155,13 +155,17 @@ export default {
   },
   methods: {
     visibilityIcon (index) {
-      return this.expansionPanel[index] ? 'mdi-eye-off' : 'mdi-eye'
+      return this.expansionPanel[index] // eslint-disable-line security/detect-object-injection
+        ? 'mdi-eye-off'
+        : 'mdi-eye'
     },
     visibilityTitle (index) {
-      return this.expansionPanel[index] ? 'Hide Command' : 'Show Command'
+      return this.expansionPanel[index] // eslint-disable-line security/detect-object-injection
+        ? 'Hide Command'
+        : 'Show Command'
     },
     toggle (index) {
-      this.expansionPanel[index] = !this.expansionPanel[index]
+      this.expansionPanel[index] = !this.expansionPanel[index] // eslint-disable-line security/detect-object-injection
     },
   },
 }
diff --git a/frontend/src/components/ShootDetails/GShootDetailsCard.vue b/frontend/src/components/ShootDetails/GShootDetailsCard.vue
index cbde6996c5..1786439c87 100644
--- a/frontend/src/components/ShootDetails/GShootDetailsCard.vue
+++ b/frontend/src/components/ShootDetails/GShootDetailsCard.vue
@@ -245,6 +245,7 @@ import utils, {
 } from '@/utils'
 
 import {
+  get,
   filter,
   map,
 } from '@/lodash'
@@ -284,14 +285,12 @@ const isValidTerminationDate = computed(() => {
   return utils.isValidTerminationDate(shootExpirationTimestamp.value)
 })
 
-const addon = computed(() => {
-  return name => {
-    return shootAddons.value[name] || {}
-  }
-})
+function getAddon (name) {
+  return get(shootAddons.value, [name], {})
+}
 
 const shootAddonNames = computed(() => {
-  return map(filter(shootAddonList, item => addon.value(item.name).enabled), 'title')
+  return map(filter(shootAddonList, item => getAddon(item.name).enabled), 'title')
 })
 
 const slaDescriptionHtml = computed(() => {
diff --git a/frontend/src/components/ShootMessages/GShootMessages.vue b/frontend/src/components/ShootMessages/GShootMessages.vue
index 6fab1cc897..c2b172c009 100644
--- a/frontend/src/components/ShootMessages/GShootMessages.vue
+++ b/frontend/src/components/ShootMessages/GShootMessages.vue
@@ -94,6 +94,10 @@ const components = {
   'g-force-delete-message': GForceDeleteMessage,
 }
 
+function resolveComponent (name) {
+  return components[name] // eslint-disable-line security/detect-object-injection
+}
+
 const props = defineProps({
   small: {
     type: Boolean,
@@ -477,10 +481,6 @@ function colorForSeverity (severity) {
       return 'primary'
   }
 }
-
-function resolveComponent (name) {
-  return components[name]
-}
 </script>
 
 <style lang="scss" scoped>
diff --git a/frontend/src/components/dialogs/GProjectDialog.vue b/frontend/src/components/dialogs/GProjectDialog.vue
index d09982a109..2fd9380ce4 100644
--- a/frontend/src/components/dialogs/GProjectDialog.vue
+++ b/frontend/src/components/dialogs/GProjectDialog.vue
@@ -212,7 +212,7 @@ const isUniqueProjectName = withMessage(
 
 const isValidCostObject = withMessage(
   costObjectErrorMessage.value,
-  helpers.regex(new RegExp(costObjectRegex.value)),
+  helpers.regex(costObjectRegex.value),
 )
 
 const rules = {
diff --git a/frontend/src/components/icons/GIconBase.vue b/frontend/src/components/icons/GIconBase.vue
index e6f0069993..e6cf74be43 100644
--- a/frontend/src/components/icons/GIconBase.vue
+++ b/frontend/src/components/icons/GIconBase.vue
@@ -26,6 +26,8 @@ SPDX-License-Identifier: Apache-2.0
 <script>
 import { isHtmlColorCode } from '@/utils'
 
+import { get } from '@/lodash'
+
 export default {
   props: {
     iconName: {
@@ -55,7 +57,8 @@ export default {
       if (isHtmlColorCode(iconColor)) {
         return iconColor
       }
-      return this.$vuetify.theme.current.colors[iconColor]
+      const currentTheme = this.$vuetify.theme.current
+      return get(currentTheme, ['colors', iconColor])
     },
   },
 }
diff --git a/frontend/src/composables/helper.js b/frontend/src/composables/helper.js
index d2f1411808..0c9529cfb1 100644
--- a/frontend/src/composables/helper.js
+++ b/frontend/src/composables/helper.js
@@ -5,6 +5,7 @@
 //
 
 import {
+  set,
   isEmpty,
   isNil,
   isObject,
@@ -16,7 +17,7 @@ export function cleanup (obj) {
     for (const [key, value] of Object.entries(obj)) {
       const cleanValue = cleanupValue(value)
       if (cleanValue !== null) {
-        cleanObj[key] = cleanValue
+        set(cleanObj, [key], cleanValue)
       }
     }
     return cleanObj
diff --git a/frontend/src/composables/useApi/fetch.js b/frontend/src/composables/useApi/fetch.js
index 3f5ba3cd3b..0dda14ceb8 100644
--- a/frontend/src/composables/useApi/fetch.js
+++ b/frontend/src/composables/useApi/fetch.js
@@ -87,10 +87,10 @@ function fulfilledFn (request) {
     if (!contentType) {
       promise = Promise.resolve(response)
     } else {
-      const method = contentType.startsWith('application/json')
-        ? 'json'
-        : 'text'
-      promise = response[method]().then(data => {
+      promise = contentType.startsWith('application/json')
+        ? response.json()
+        : response.text()
+      promise = promise.then(data => {
         Object.defineProperty(response, 'data', {
           value: data,
         })
diff --git a/frontend/src/composables/useCustomColors.js b/frontend/src/composables/useCustomColors.js
index c8c9b9ff05..6589a65105 100644
--- a/frontend/src/composables/useCustomColors.js
+++ b/frontend/src/composables/useCustomColors.js
@@ -14,12 +14,15 @@ import { toValue } from '@vueuse/core'
 
 import { isHtmlColorCode } from '@/utils'
 
-import { get } from '@/lodash'
+import {
+  get,
+  set,
+} from '@/lodash'
 
 function patchThemes (themes, customThemes) {
   for (const colorMode of ['light', 'dark']) {
-    const themeColors = themes[colorMode]?.colors ?? {}
-    const customThemeColors = customThemes[colorMode] ?? {}
+    const themeColors = get(themes, [colorMode, 'colors'], {})
+    const customThemeColors = get(customThemes, [colorMode], {})
     patchThemeColors(themeColors, customThemeColors)
   }
 }
@@ -36,9 +39,9 @@ function setThemeColor (themeColors, key, value) {
   }
   const colorCode = get(vuetifyColors, value)
   if (colorCode) {
-    themeColors[key] = colorCode
+    set(themeColors, [key], colorCode)
   } else if (isHtmlColorCode(value)) {
-    themeColors[key] = value
+    set(themeColors, [key], value)
   }
 }
 
diff --git a/frontend/src/composables/useLogger.js b/frontend/src/composables/useLogger.js
index f0f46c91d6..98c5896176 100644
--- a/frontend/src/composables/useLogger.js
+++ b/frontend/src/composables/useLogger.js
@@ -31,7 +31,7 @@ function print (key, ...args) {
   } else {
     args.unshift(prefix)
   }
-  const fn = console[key] // eslint-disable-line no-console
+  const fn = console[key] // eslint-disable-line security/detect-object-injection, no-console
   if (typeof fn === 'function') {
     fn(...args)
   }
diff --git a/frontend/src/composables/useProjectCostObject.js b/frontend/src/composables/useProjectCostObject.js
index 0e7e86b2b4..68e9bf015f 100644
--- a/frontend/src/composables/useProjectCostObject.js
+++ b/frontend/src/composables/useProjectCostObject.js
@@ -51,7 +51,10 @@ export const useProjectCostObject = (projectItem, options = {}) => {
 
   const costObjectTitle = computed(() => get(costObjectSettings.value, 'title'))
 
-  const costObjectRegex = computed(() => get(costObjectSettings.value, 'regex', '[^]*'))
+  const costObjectRegex = computed(() => {
+    const pattern = get(costObjectSettings.value, 'regex', '[^]*')
+    return new RegExp(pattern) // eslint-disable-line security/detect-non-literal-regexp
+  })
 
   const costObjectErrorMessage = computed(() => get(costObjectSettings.value, 'errorMessage', ''))
 
diff --git a/frontend/src/composables/useShootAccessRestrictions/index.js b/frontend/src/composables/useShootAccessRestrictions/index.js
index 71de28161b..5f12548ec5 100644
--- a/frontend/src/composables/useShootAccessRestrictions/index.js
+++ b/frontend/src/composables/useShootAccessRestrictions/index.js
@@ -73,10 +73,10 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
     const accessRestrictionDefinitions = {}
     for (const definition of accessRestrictionDefinitionList.value) {
       const { key, options } = definition
-      accessRestrictionDefinitions[key] = {
+      set(accessRestrictionDefinitions, [key], {
         ...definition,
         options: keyBy(options, 'key'),
-      }
+      })
     }
     return accessRestrictionDefinitions
   })
@@ -95,7 +95,7 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
   })
 
   function getAccessRestrictionValue (key) {
-    const { input } = accessRestrictionDefinitions.value[key]
+    const { input } = get(accessRestrictionDefinitions.value, [key])
     const inverted = !!input?.inverted
     const defaultValue = inverted
     const value = getSeedSelectorMatchLabel(key, defaultValue) === 'true'
@@ -103,7 +103,7 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
   }
 
   function setAccessRestrictionValue (key, value) {
-    const { input, options } = accessRestrictionDefinitions.value[key]
+    const { input, options } = get(accessRestrictionDefinitions.value, [key])
     const enabled = NAND(value, !!input?.inverted)
     if (enabled) {
       setSeedSelectorMatchLabel(key, 'true')
@@ -120,7 +120,7 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
   }
 
   function getAccessRestrictionOptionValue (key) {
-    const { accessRestrictionKey } = accessRestrictionOptionDefinitions.value[key]
+    const { accessRestrictionKey } = get(accessRestrictionOptionDefinitions.value, [key])
     const { input } = get(accessRestrictionDefinitions.value, [accessRestrictionKey, 'options', key])
     const inverted = !!input?.inverted
     const defaultValue = inverted
@@ -129,7 +129,7 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
   }
 
   function setAccessRestrictionOptionValue (key, value) {
-    const { accessRestrictionKey } = accessRestrictionOptionDefinitions.value[key]
+    const { accessRestrictionKey } = get(accessRestrictionOptionDefinitions.value, [key])
     const { input } = get(accessRestrictionDefinitions.value, [accessRestrictionKey, 'options', key])
     const inverted = !!input?.inverted
     setShootAnnotation(key, `${NAND(value, inverted)}`)
diff --git a/frontend/src/composables/useShootContext.js b/frontend/src/composables/useShootContext.js
index e4da957a93..48d21c671a 100644
--- a/frontend/src/composables/useShootContext.js
+++ b/frontend/src/composables/useShootContext.js
@@ -672,7 +672,7 @@ export function createShootContextComposable (options = {}) {
     const defaultAddons = {}
     if (!providerState.workerless) {
       for (const { name, enabled } of visibleAddonDefinitionList.value) {
-        defaultAddons[name] = { enabled }
+        set(defaultAddons, [name], { enabled })
       }
     }
     addons.value = defaultAddons
diff --git a/frontend/src/composables/useShootDns.js b/frontend/src/composables/useShootDns.js
index 6c3b5aab2c..f60a588696 100644
--- a/frontend/src/composables/useShootDns.js
+++ b/frontend/src/composables/useShootDns.js
@@ -207,7 +207,7 @@ export const useShootDns = (manifest, options) => {
   }
 
   function deleteDnsServiceExtensionProvider (index) {
-    const provider = dnsServiceExtensionProviders.value[index]
+    const provider = get(dnsServiceExtensionProviders.value, [index])
     if (!provider) {
       return
     }
diff --git a/frontend/src/composables/useShootEditor/helper.js b/frontend/src/composables/useShootEditor/helper.js
index acdc5a6c97..8aa073c2f2 100644
--- a/frontend/src/composables/useShootEditor/helper.js
+++ b/frontend/src/composables/useShootEditor/helper.js
@@ -20,6 +20,7 @@ import {
   upperFirst,
   flatMap,
   get,
+  unset,
   forIn,
   isEqual,
   first,
@@ -97,7 +98,7 @@ export class EditorCompletions {
     const cur = cm.getCursor()
 
     const { lineString, lineTokens } = this._getTokenLine(cm, cur)
-    const [, indent, firstArrayItem] = lineString.match(/^(\s*)(-\s)?(.*?)?$/) || []
+    const [, indent, firstArrayItem] = lineString.match(/^(\s*)(-\s)?(.*)$/) || []
     let extraIntent = ''
     if (firstArrayItem) {
       extraIntent = `${repeat(' ', this.arrayBulletIndent)}`
@@ -143,7 +144,7 @@ export class EditorCompletions {
       }
       if (Array.isArray(type)) {
         return type
-          .map((type, i) => formatTypeText(type, format[i]))
+          .map((type, i) => formatTypeText(type, format[i])) // eslint-disable-line security/detect-object-injection
           .join(' | ')
       }
       return formatTypeText(type, format)
@@ -214,7 +215,7 @@ export class EditorCompletions {
     let token
     const { lineTokens, lineString } = this._getTokenLine(cm, cur)
     forEach(lineTokens, lineToken => {
-      const result = lineToken.string.match(/^(\s*)-\s(.*)?$/)
+      const result = lineToken.string.match(/^(\s*)-\s(.*)$/)
       if (result) {
         const indent = result[1]
         token = lineToken
@@ -380,7 +381,7 @@ export class EditorCompletions {
           this.logger.warn('Unsupported schema array length, %s has length %i at %s', propertyName, propertyValue.length, parentPropertyName)
         }
 
-        delete properties[propertyName]
+        unset(properties, [propertyName])
       } else if (typeof propertyValue === 'object') {
         this._resolveSchemaArrays(propertyValue, propertyName)
       }
diff --git a/frontend/src/composables/useShootEditor/index.js b/frontend/src/composables/useShootEditor/index.js
index f5ef70e4d8..ff9ab54cd8 100644
--- a/frontend/src/composables/useShootEditor/index.js
+++ b/frontend/src/composables/useShootEditor/index.js
@@ -32,6 +32,7 @@ import {
 
 import {
   get,
+  set,
   omit,
   isEqual,
 } from '@/lodash'
@@ -97,7 +98,8 @@ export function useShootEditor (initialValue, options = {}) {
     }
     const extraKeys = {}
     for (const [key, value] of Object.entries(originalExtraKeys)) {
-      extraKeys[localStorageStore.editorShortcuts[key] ?? key] = value
+      const keyCode = get(localStorageStore.editorShortcuts, [key], key)
+      set(extraKeys, [keyCode], value)
     }
     return extraKeys
   }
diff --git a/frontend/src/lib/g-symbol-tree.js b/frontend/src/lib/g-symbol-tree.js
index 35782ddb44..ed1d52623a 100644
--- a/frontend/src/lib/g-symbol-tree.js
+++ b/frontend/src/lib/g-symbol-tree.js
@@ -120,8 +120,8 @@ export class GSymbolTree extends SymbolTree {
       return
     }
 
-    const targetItem = this.itemMap[targetId]
-    const sourceItem = this.itemMap[sourceId]
+    const targetItem = this.itemMap[targetId] // eslint-disable-line security/detect-object-injection
+    const sourceItem = this.itemMap[sourceId] // eslint-disable-line security/detect-object-injection
     if (!targetItem || !sourceItem) {
       return
     }
@@ -136,7 +136,7 @@ export class GSymbolTree extends SymbolTree {
   }
 
   removeWithId (id, clean = true) {
-    const item = this.itemMap[id]
+    const item = this.itemMap[id] // eslint-disable-line security/detect-object-injection
     if (!item) {
       return
     }
@@ -174,14 +174,14 @@ export class GSymbolTree extends SymbolTree {
   _addToItemMap (newItem) {
     if (newItem instanceof Leaf) {
       const key = newItem.uuid
-      this.itemMap[key] = newItem
+      this.itemMap[key] = newItem // eslint-disable-line security/detect-object-injection
     }
   }
 
   _removeFromItemMap (removeObject) {
     if (removeObject instanceof Leaf) {
       const key = removeObject.uuid
-      delete this.itemMap[key]
+      delete this.itemMap[key] // eslint-disable-line security/detect-object-injection
     }
   }
 
diff --git a/frontend/src/lib/terminal.js b/frontend/src/lib/terminal.js
index 7834eadb66..5194eb55fa 100644
--- a/frontend/src/lib/terminal.js
+++ b/frontend/src/lib/terminal.js
@@ -462,8 +462,9 @@ export class Spinner {
     this._hideCursor()
     this.#intervalId = setInterval(() => {
       i = ++i % frames.length
+      const frame = frames[i] // eslint-disable-line security/detect-object-injection
       this._eraseLine()
-      this.#term.write(frames[i] + ' ' + this.#text)
+      this.#term.write(frame + ' ' + this.#text)
     }, 125)
   }
 
diff --git a/frontend/src/store/cloudProfile/index.js b/frontend/src/store/cloudProfile/index.js
index 8f5296b528..c85ea3b030 100644
--- a/frontend/src/store/cloudProfile/index.js
+++ b/frontend/src/store/cloudProfile/index.js
@@ -339,7 +339,7 @@ export const useCloudProfileStore = defineStore('cloudProfile', () => {
     if (!cloudProfile) {
       return []
     }
-    const items = cloudProfile.data[type]
+    const items = get(cloudProfile.data, [type])
     if (!region) {
       return items
     }
@@ -484,7 +484,7 @@ export const useCloudProfileStore = defineStore('cloudProfile', () => {
 
     const items = get(configStore, 'accessRestriction.items')
     return filter(items, ({ key }) => {
-      return key && labels[key] === 'true'
+      return key && get(labels, [key]) === 'true'
     })
   }
 
@@ -541,10 +541,12 @@ export const useCloudProfileStore = defineStore('cloudProfile', () => {
     const newerVersionsForShoot = filter(validVersions, ({ version }) => semver.gt(version, shootVersion))
     for (const version of newerVersionsForShoot) {
       const diff = semver.diff(version.version, shootVersion)
+      /* eslint-disable security/detect-object-injection */
       if (!newerVersions[diff]) {
         newerVersions[diff] = []
       }
       newerVersions[diff].push(version)
+      /* eslint-enable security/detect-object-injection */
     }
     newerVersions = newerVersionsForShoot.length ? newerVersions : null
     availableKubernetesUpdatesCache.set(key, newerVersions)
diff --git a/frontend/src/store/config.js b/frontend/src/store/config.js
index a7b5c3924e..6832f9a348 100644
--- a/frontend/src/store/config.js
+++ b/frontend/src/store/config.js
@@ -108,7 +108,7 @@ const wellKnownConditions = {
 
 export function getCondition (type) {
   if (type in wellKnownConditions) {
-    return wellKnownConditions[type]
+    return get(wellKnownConditions, [type])
   }
 
   let name = ''
@@ -356,7 +356,7 @@ export const useConfigStore = defineStore('config', () => {
       if (!purpose) {
         return true
       }
-      return !!defaultHibernationSchedule.value[purpose]
+      return !!get(defaultHibernationSchedule.value, [purpose], false)
     }
     return false
   }
@@ -374,7 +374,7 @@ export const useConfigStore = defineStore('config', () => {
   }
 
   function conditionForType (type) {
-    return allKnownConditions.value[type] ?? getCondition(type)
+    return get(allKnownConditions.value, [type], getCondition(type))
   }
 
   return {
diff --git a/frontend/src/store/localStorage.js b/frontend/src/store/localStorage.js
index 73054c464c..4146f9c219 100644
--- a/frontend/src/store/localStorage.js
+++ b/frontend/src/store/localStorage.js
@@ -78,6 +78,7 @@ const useLazyLocalStorage = () => {
 
   const createGetter = (name, initialValue = null) => {
     return () => {
+      /* eslint-disable security/detect-object-injection */
       const currentKey = refs[name]?.[kLocalStorageKey]
       const key = keys[name]
       if (currentKey !== key) {
@@ -85,6 +86,7 @@ const useLazyLocalStorage = () => {
         refs[name] = createLocalStorageRef(key, initialValue)
       }
       return refs[name]
+      /* eslint-enable security/detect-object-injection */
     }
   }
 
diff --git a/frontend/src/store/project.js b/frontend/src/store/project.js
index 90592aed5f..bcb71bac60 100644
--- a/frontend/src/store/project.js
+++ b/frontend/src/store/project.js
@@ -25,6 +25,7 @@ import {
   findIndex,
   map,
   get,
+  set,
   replace,
 } from '@/lodash'
 
@@ -48,8 +49,9 @@ export const useProjectStore = defineStore('project', () => {
   const projectNameMap = computed(() => {
     const projectNames = {}
     if (Array.isArray(list.value)) {
-      for (const { metadata: { name }, spec: { namespace } } of list.value) {
-        projectNames[namespace] = name
+      for (const project of list.value) {
+        const { metadata: { name }, spec: { namespace } } = project
+        set(projectNames, [namespace], name)
       }
     }
     return projectNames
@@ -97,7 +99,8 @@ export const useProjectStore = defineStore('project', () => {
   function updateList (obj) {
     const index = findIndex(list.value, ['metadata.name', obj.metadata.name])
     if (index !== -1) {
-      list.value.splice(index, 1, Object.assign(list.value[index], obj))
+      const item = list.value[index] // eslint-disable-line security/detect-object-injection
+      list.value.splice(index, 1, Object.assign(item, obj))
     } else {
       list.value.push(obj)
     }
@@ -111,7 +114,7 @@ export const useProjectStore = defineStore('project', () => {
     const namespace = typeof metadata === 'string'
       ? metadata
       : metadata?.namespace
-    return projectNameMap.value[namespace] ?? replace(namespace, /^garden-/, '')
+    return get(projectNameMap.value, [namespace], replace(namespace, /^garden-/, ''))
   }
 
   async function fetchProjects () {
diff --git a/frontend/src/store/quota/helper.js b/frontend/src/store/quota/helper.js
index 76f2ff9743..a9af34a166 100644
--- a/frontend/src/store/quota/helper.js
+++ b/frontend/src/store/quota/helper.js
@@ -7,6 +7,8 @@
 import { parseNumberWithMagnitudeSuffix } from '@/utils'
 
 import {
+  get,
+  set,
   map,
   replace,
   upperFirst,
@@ -22,7 +24,7 @@ export function getProjectQuotaStatus (quota) {
 
   const { hard, used } = quota
   const quotaStatus = map(hard, (limitValue, key) => {
-    const usedValue = used[key] || 0
+    const usedValue = get(used, [key], 0)
     const percentage = Math.floor((usedValue / limitValue) * 100)
     const resourceName = replace(key, 'count/', '')
     const caption = upperFirst(head(split(resourceName, '.')))
@@ -54,12 +56,12 @@ export function aggregateResourceQuotaStatus (quotas) {
 
   for (const quota of quotas) {
     for (const [key, value] of Object.entries(quota.hard)) {
-      const currentValue = hard[key] ?? Number.MAX_SAFE_INTEGER
-      hard[key] = Math.min(parseNumberWithMagnitudeSuffix(value), currentValue).toString()
+      const currentValue = get(hard, [key], Number.MAX_SAFE_INTEGER)
+      set(hard, [key], Math.min(parseNumberWithMagnitudeSuffix(value), currentValue).toString())
     }
     for (const [key, value] of Object.entries(quota.used)) {
-      const currentValue = used[key] ?? Number.MIN_SAFE_INTEGER
-      used[key] = Math.max(parseNumberWithMagnitudeSuffix(value), currentValue).toString()
+      const currentValue = get(used, [key], Number.MIN_SAFE_INTEGER)
+      set(used, [key], Math.max(parseNumberWithMagnitudeSuffix(value), currentValue).toString())
     }
   }
 
diff --git a/frontend/src/store/quota/index.js b/frontend/src/store/quota/index.js
index a8e8ded20e..91a6b634f5 100644
--- a/frontend/src/store/quota/index.js
+++ b/frontend/src/store/quota/index.js
@@ -22,7 +22,11 @@ import {
   aggregateResourceQuotaStatus,
 } from './helper'
 
-import { map } from '@/lodash'
+import {
+  get,
+  set,
+  map,
+} from '@/lodash'
 
 export const useQuotaStore = defineStore('quota', () => {
   const api = useApi()
@@ -32,7 +36,7 @@ export const useQuotaStore = defineStore('quota', () => {
 
   const projectQuotaStatus = computed(() => {
     const namespace = authzStore.namespace
-    const quota = quotas.value[namespace]
+    const quota = get(quotas.value, [namespace])
     return quota
       ? getProjectQuotaStatus(quota)
       : []
@@ -40,7 +44,7 @@ export const useQuotaStore = defineStore('quota', () => {
 
   async function fetchQuotas (namespace = authzStore.namespace) {
     const response = await api.getResourceQuotas({ namespace })
-    quotas.value[namespace] = aggregateResourceQuotaStatus(map(response.data, 'status'))
+    set(quotas.value, [namespace], aggregateResourceQuotaStatus(map(response.data, 'status')))
   }
 
   return {
diff --git a/frontend/src/store/secret.js b/frontend/src/store/secret.js
index 1d5ec015c4..008010ebb4 100644
--- a/frontend/src/store/secret.js
+++ b/frontend/src/store/secret.js
@@ -118,7 +118,7 @@ export const useSecretStore = defineStore('secret', () => {
     const index = findIndex(list.value, eqlNameAndNamespace(obj.metadata))
     if (index !== -1) {
       list.value.splice(index, 1, {
-        ...list.value[index],
+        ...list.value[index], // eslint-disable-line security/detect-object-injection
         ...obj,
       })
     } else {
diff --git a/frontend/src/store/seed.js b/frontend/src/store/seed.js
index 7ea6c2c77a..6028169dba 100644
--- a/frontend/src/store/seed.js
+++ b/frontend/src/store/seed.js
@@ -48,7 +48,7 @@ export const useSeedStore = defineStore('seed', () => {
     const seedsByName = keyBy(list.value, 'metadata.name')
     const names = get(cloudProfile, 'data.seedNames', [])
     for (const name of names) {
-      const seed = seedsByName[name]
+      const seed = get(seedsByName, [name])
       if (seed) {
         seeds.push(seed)
       }
diff --git a/frontend/src/store/shoot/helper.js b/frontend/src/store/shoot/helper.js
index 6655ac3a73..611bb3695a 100644
--- a/frontend/src/store/shoot/helper.js
+++ b/frontend/src/store/shoot/helper.js
@@ -74,7 +74,7 @@ export function parseSearch (text) {
     }
     let exact = false
     const end = value.length - 1
-    if (value[0] === '"' && value[end] === '"') {
+    if (value[0] === '"' && value[end] === '"') { // eslint-disable-line security/detect-object-injection
       exact = true
       value = value.substring(1, end).replace(/""/g, '"')
     }
@@ -242,7 +242,7 @@ export function getRawVal (context, item, column) {
         const value = get(item, path)
         return formatValue(value, ' ')
       }
-      return metadata[column]
+      return get(metadata, [column])
     }
   }
 }
@@ -265,7 +265,7 @@ export function getSortVal (state, context, item, sortBy) {
   const status = item.status
   switch (sortBy) {
     case 'purpose':
-      return purposeValue[value] ?? 4
+      return get(purposeValue, [value], 4)
     case 'k8sVersion':
       return (value || '0.0.0').split('.').map(i => padStart(i, 4, '0')).join('.')
     case 'lastOperation': {
diff --git a/frontend/src/store/shoot/shoot.js b/frontend/src/store/shoot/shoot.js
index 6785cf3752..65a188d5f4 100644
--- a/frontend/src/store/shoot/shoot.js
+++ b/frontend/src/store/shoot/shoot.js
@@ -48,6 +48,8 @@ import {
 
 import {
   get,
+  set,
+  unset,
   map,
   pick,
   difference,
@@ -116,7 +118,7 @@ const useShootStore = defineStore('shoot', () => {
   })
 
   const activeShoots = computed(() => {
-    return activeUids.value.map(uid => state.shoots[uid])
+    return activeUids.value.map(uid => get(state.shoots, [uid]))
   })
 
   const activeUids = computed(() => {
@@ -149,8 +151,8 @@ const useShootStore = defineStore('shoot', () => {
       ? state.froozenUids
       : activeUids.value
     const getShoot = state.focusMode
-      ? uid => state.shoots[uid] ?? state.staleShoots[uid]
-      : uid => state.shoots[uid]
+      ? uid => get(state.shoots, [uid]) ?? get(state.staleShoots, [uid])
+      : uid => get(state.shoots, [uid])
     const items = []
     for (const uid of uids) {
       const object = getShoot(uid)
@@ -444,7 +446,7 @@ const useShootStore = defineStore('shoot', () => {
 
   function assignShootInfo (object) {
     const uid = object?.metadata.uid
-    const info = state.shootInfos[uid]
+    const info = get(state.shootInfos, [uid])
     return {
       ...object,
       info,
@@ -458,7 +460,7 @@ const useShootStore = defineStore('shoot', () => {
     } else {
       const uid = metadata.uid
       state.selectedUid = uid
-      const shootInfo = state.shootInfos[uid]
+      const shootInfo = get(state.shootInfos, [uid])
       if (!shootInfo) {
         shootStore.fetchInfo(metadata)
       }
@@ -479,7 +481,8 @@ const useShootStore = defineStore('shoot', () => {
 
   function toogleShootListFilter (key) {
     if (state.shootListFilters) {
-      state.shootListFilters[key] = !state.shootListFilters[key]
+      const value = get(state.shootListFilters, [key])
+      set(state.shootListFilters, [key], !value)
     }
   }
 
@@ -499,7 +502,7 @@ const useShootStore = defineStore('shoot', () => {
     const shootStore = this
     let uids = []
     if (value) {
-      const activeShoots = map(activeUids.value, uid => state.shoots[uid])
+      const activeShoots = map(activeUids.value, uid => get(state.shoots, [uid]))
       const sortedShoots = sortItems(activeShoots, state.sortBy)
       uids = map(sortedShoots, 'metadata.uid')
     }
@@ -535,7 +538,7 @@ const useShootStore = defineStore('shoot', () => {
     for (const item of items) {
       if (notOnlyShootsWithIssues || shootHasIssue(item)) {
         const uid = item.metadata.uid
-        shoots[uid] = markRaw(item)
+        set(shoots, [uid], markRaw(item))
       }
     }
 
@@ -545,11 +548,12 @@ const useShootStore = defineStore('shoot', () => {
         const newUids = Object.keys(shoots)
         for (const uid of difference(oldUids, newUids)) {
           if (includes(state.froozenUids, uid)) {
-            state.staleShoots[uid] = state.shoots[uid]
+            const value = get(state.shoots, [uid])
+            set(state.staleShoots, [uid], value)
           }
         }
         for (const uid of difference(newUids, oldUids)) {
-          delete state.staleShoots[uid]
+          unset(state.staleShoots, [uid])
         }
       }
       state.shoots = shoots
@@ -629,9 +633,10 @@ const useShootStore = defineStore('shoot', () => {
       shootStore.$patch(({ state }) => {
         for (const uid of deletedUids) {
           if (state.focusMode) {
-            state.staleShoots[uid] = state.shoots[uid]
+            const value = get(state.shoots, [uid])
+            set(state.staleShoots, [uid], value)
           }
-          delete state.shoots[uid]
+          unset(state.shoots, [uid])
         }
         for (const item of items) {
           if (item.kind === 'Status') {
@@ -639,15 +644,15 @@ const useShootStore = defineStore('shoot', () => {
             if (item.code === 404) {
               const uid = item.details?.uid
               if (uid) {
-                delete state.shoots[uid]
+                unset(state.shoots, [uid])
               }
             }
           } else if (notOnlyShootsWithIssues || shootHasIssue(item)) {
             const uid = item.metadata.uid
             if (state.focusMode) {
-              delete state.staleShoots[uid]
+              unset(state.staleShoots, [uid])
             }
-            state.shoots[uid] = markRaw(item)
+            set(state.shoots, [uid], markRaw(item))
           }
         }
       })
diff --git a/frontend/src/store/ticket.js b/frontend/src/store/ticket.js
index eaeff1c4d6..daa53af19e 100644
--- a/frontend/src/store/ticket.js
+++ b/frontend/src/store/ticket.js
@@ -19,6 +19,7 @@ import {
   assign,
   findIndex,
   get,
+  set,
   head,
   matches,
   matchesProperty,
@@ -58,15 +59,15 @@ const deleteComment = (issueComments, deletedItem) => {
   // eslint-disable-next-line
   const index = findIndex(commentForIssue(state, issueNumber), matchesProperty('metadata.id', deletedItem.metadata.id))
   if (index !== -1) {
-    issueComments.value[issueNumber].splice(index, 1)
+    get(issueComments.value, [issueNumber]).splice(index, 1)
   }
 }
 
 const commentForIssue = (issueComments, issueNumber) => {
-  if (!issueComments.value[issueNumber]) {
-    issueComments.value[issueNumber] = []
+  if (!get(issueComments.value, [issueNumber])) {
+    set(issueComments.value, [issueNumber], [])
   }
-  return issueComments.value[issueNumber]
+  return get(issueComments.value, [issueNumber])
 }
 
 const putComment = (issueComments, newItem) => {
@@ -79,7 +80,7 @@ const putComment = (issueComments, newItem) => {
 const putToList = (list, newItem, updatedAtKeyPath, matcher, descending = true) => {
   const index = findIndex(list, matcher)
   if (index !== -1) {
-    const item = list[index]
+    const item = list[index] // eslint-disable-line security/detect-object-injection
     if (get(item, updatedAtKeyPath) <= get(newItem, updatedAtKeyPath)) {
       list.splice(index, 1, assign({}, item, newItem))
     }
@@ -112,11 +113,11 @@ export const useTicketStore = defineStore('ticket', () => {
 
   function issues ({ name, projectName }) {
     const key = issueKey(projectName, name)
-    return issuesMap.value[key] ?? []
+    return get(issuesMap.value, [key], [])
   }
 
   function comments ({ issueNumber }) {
-    return issueComments.value[issueNumber]
+    return get(issueComments.value, [issueNumber])
   }
 
   function latestUpdated ({ name, projectName }) {
@@ -125,7 +126,7 @@ export const useTicketStore = defineStore('ticket', () => {
 
   function labels ({ name, projectName }) {
     const key = issueKey(projectName, name)
-    return labelsMap.value[key] ?? []
+    return get(labelsMap.value, [key], [])
   }
 
   function receiveIssues (issues) {
diff --git a/frontend/src/utils/TimeWithOffset.js b/frontend/src/utils/TimeWithOffset.js
index 2dac1f5a76..26c863cfe2 100644
--- a/frontend/src/utils/TimeWithOffset.js
+++ b/frontend/src/utils/TimeWithOffset.js
@@ -4,12 +4,53 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-const timeWithOffsetRegex = /^(?:(\d{2}):?(\d{2}):?(\d{2})?)?(?:([+-])(\d{2}):?(\d{2}))?$/
+function splitIntoPairs (str) {
+  if (str.length % 2 !== 0) {
+    return null
+  }
+
+  const parts = []
+  for (let i = 0; i < str.length; i += 2) {
+    parts.push(str.slice(i, i + 2))
+  }
+
+  if (!parts.every(part => /^\d{2}$/.test(part))) {
+    return null
+  }
+
+  return parts
+}
 
 class TimeWithOffset {
-  constructor (timeString) {
-    const [ok, hours = '00', minutes = '00', , offsetSign = '+', offsetHours = '00', offsetMinutes = '00'] = timeWithOffsetRegex.exec(timeString) || []
-    this.valid = !!ok
+  constructor (value) {
+    let time = value
+    let offsetSign = '+'
+    let offset = '00:00'
+
+    const index = value.search(/[+-]/)
+    if (index !== -1) {
+      time = value.substring(0, index)
+      offsetSign = value[index] // eslint-disable-line security/detect-object-injection
+      offset = value.substring(index + 1)
+    }
+
+    const timeParts = splitIntoPairs(time.replaceAll(':', ''))
+    const [
+      hours = '00',
+      minutes = '00',
+    ] = Array.isArray(timeParts)
+      ? timeParts
+      : []
+
+    const offsetParts = splitIntoPairs(offset.replaceAll(':', ''))
+    const [
+      offsetHours = '00',
+      offsetMinutes = '00',
+    ] = Array.isArray(offsetParts)
+      ? offsetParts
+      : []
+
+    this.valid = !!(timeParts && offsetParts)
     Object.assign(this, {
       hours,
       minutes,
diff --git a/frontend/src/utils/crypto.js b/frontend/src/utils/crypto.js
index 7ca1fc6fa8..b952cb0fbe 100644
--- a/frontend/src/utils/crypto.js
+++ b/frontend/src/utils/crypto.js
@@ -8,6 +8,11 @@
 
 import md5 from 'md5'
 
+import {
+  get,
+  set,
+} from '@/lodash'
+
 export { md5 }
 
 export function normalizeObject (obj) {
@@ -24,8 +29,8 @@ export function normalizeObject (obj) {
     obj = Object.fromEntries(obj)
   }
   return Object.keys(obj).sort().reduce((accumulator, key) => {
-    accumulator[key] = normalizeValue(obj[key])
-    return accumulator
+    const value = get(obj, [key])
+    return set(accumulator, [key], normalizeValue(value))
   }, {})
 }
 
diff --git a/frontend/src/utils/errors.js b/frontend/src/utils/errors.js
index da2739595c..8044b4777a 100644
--- a/frontend/src/utils/errors.js
+++ b/frontend/src/utils/errors.js
@@ -9,6 +9,8 @@
 import statuses from 'statuses'
 import toIdentifier from 'toidentifier'
 
+import { get } from '@/lodash'
+
 function hasStatusCode (err, statusCode) {
   return err.statusCode === statusCode || err.response?.status === statusCode
 }
@@ -30,7 +32,7 @@ export function createError (name, message, properties) {
   if (typeof name === 'number') {
     const statusCode = name
     err.statusCode = statusCode
-    name = toIdentifier(statuses.message[statusCode] ?? 'http')
+    name = toIdentifier(get(statuses, [message, statusCode], 'http'))
   }
   name = toIdentifier(name)
   if (!name.endsWith('Error')) {
diff --git a/frontend/src/utils/hibernationSchedule.js b/frontend/src/utils/hibernationSchedule.js
index 7517e4b8f2..3adab733dc 100644
--- a/frontend/src/utils/hibernationSchedule.js
+++ b/frontend/src/utils/hibernationSchedule.js
@@ -10,6 +10,7 @@ import { v4 as uuidv4 } from './uuid'
 import moment from './moment'
 
 import {
+  get,
   isEmpty,
   replace,
   split,
@@ -20,14 +21,17 @@ import {
   toUpper,
 } from '@/lodash'
 
-const scheduleCrontabRegex = /^(\d{1,2})\s(\d{1,2})\s\*\s\*\s((?:[0-7,*-]*|MON|TUE|WED|THU|FRI|SAT|SUN)+)$/
-
-function parseCronExpression (value) {
-  const matches = scheduleCrontabRegex.exec(toUpper(value))
-  if (!matches) {
+export function parseCronExpression (value) {
+  const [minute, hour, dayOfMonth, month, dayOfWeek] = toUpper(value).split(/\s/)
+  if (
+    !/^\d{1,2}$/.test(minute) ||
+    !/^\d{1,2}$/.test(hour) ||
+    dayOfMonth !== '*' ||
+    month !== '*' ||
+    !/^[A-Z0-7*,-]+$/.test(dayOfWeek)
+  ) {
     return
   }
-  let [, minute, hour, weekdays] = matches
 
   // replace weekday shortnames, * and 7 with default integer values
   const intVals = {
@@ -41,10 +45,13 @@ function parseCronExpression (value) {
     7: 0,
     '*': '1,2,3,4,5,6,0',
   }
-  weekdays = replace(weekdays, /[7*]|MON|TUE|WED|THU|FRI|SAT|SUN/g, weekday => intVals[weekday])
+  let weekdays = replace(dayOfWeek, /([7*]|MON|TUE|WED|THU|FRI|SAT|SUN)/g, weekday => get(intVals, [weekday]))
 
   // convert to array
   weekdays = split(weekdays, ',')
+  if (!weekdays.every(day => /^([0-6]|[0-6]-[0-6])$/.test(day))) {
+    return
+  }
 
   // resolve intervals
   weekdays = flatMap(weekdays, weekdayOrInterval => {
diff --git a/frontend/src/utils/index.js b/frontend/src/utils/index.js
index 8e22cfbb20..31eaea3635 100644
--- a/frontend/src/utils/index.js
+++ b/frontend/src/utils/index.js
@@ -24,6 +24,7 @@ import {
   capitalize,
   replace,
   get,
+  set,
   head,
   map,
   toLower,
@@ -44,10 +45,7 @@ import {
 
 const serviceAccountRegex = /^system:serviceaccount:([^:]+):([^:]+)$/
 const sizeRegex = /^(\d+)Gi$/
-const emailRegex = /^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/
 const colorCodeRegex = /^#([a-f0-9]{6}|[a-f0-9]{3})$/i
-const magnitudeNumberSuffixRegex = /^(\d+(?:\.\d*)?)([kmbt]?)$/i
-const versionRegex = /^(\d+)(?:\.(\d+))?(?:\.(\d+))?(?:\.\d+)*([-+].+)?$/
 
 const logger = useLogger()
 
@@ -169,7 +167,36 @@ export function parseSize (value) {
 }
 
 export function isEmail (value) {
-  return emailRegex.test(value)
+  if (typeof value !== 'string' || value.length > 320) {
+    return false
+  }
+
+  const parts = value.split('@')
+  if (parts.length !== 2) {
+    return false
+  }
+
+  const [local, domain] = parts
+  if (!/^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]{1,64}$/.test(local)) {
+    return false
+  }
+
+  const domainParts = domain.split('.')
+  if (domainParts.length < 2) {
+    return false
+  }
+  const lastIndex = domainParts.length - 1
+  const isValidPart = (part, index) => {
+    const minLength = index < lastIndex ? 1 : 2
+    return part.length < minLength || part.length > 63
+      ? false
+      : /^[a-zA-Z0-9-]*$/.test(part)
+  }
+  if (!domainParts.every(isValidPart)) {
+    return false
+  }
+
+  return true
 }
 
 export function gravatarUrlGeneric (username, size = 128) {
@@ -563,14 +590,14 @@ const allowedSemverDiffs = {
 
 export function machineImageHasUpdate (machineImage, machineImages) {
   let { updateStrategy } = machineImage
-  if (!allowedSemverDiffs[updateStrategy]) {
+  if (!Object.keys(allowedSemverDiffs).includes(updateStrategy)) {
     updateStrategy = 'major'
   }
   return some(machineImages, ({ version, vendorName, isSupported }) => {
     return isSupported &&
       machineImage.vendorName === vendorName &&
       semver.gt(version, machineImage.version) &&
-      allowedSemverDiffs[updateStrategy].includes(semver.diff(version, machineImage.version))
+      get(allowedSemverDiffs, [updateStrategy], []).includes(semver.diff(version, machineImage.version))
   })
 }
 
@@ -588,8 +615,12 @@ export function sortedRoleDisplayNames (roleNames) {
 
 export function mapTableHeader (headers, valueKey) {
   const obj = {}
-  for (const { key, [valueKey]: value } of headers) {
-    obj[key] = value
+  for (const header of headers) {
+    const {
+      key,
+      [valueKey]: value,
+    } = header
+    set(obj, [key], value)
   }
   return obj
 }
@@ -616,22 +647,38 @@ export function omitKeysWithSuffix (obj, suffix) {
 }
 
 export function parseNumberWithMagnitudeSuffix (abbreviatedNumber) {
-  const [, number, suffix] = magnitudeNumberSuffixRegex.exec(abbreviatedNumber) ?? []
-  if (!number) {
+  let number = abbreviatedNumber
+  let suffix = ''
+  if (/[kmbt]$/i.test(abbreviatedNumber)) {
+    suffix = abbreviatedNumber.slice(-1)
+    number = abbreviatedNumber.slice(0, -1)
+  }
+  number = Number(number)
+  if (isNaN(number)) {
     logger.error(`Failed to parse ${abbreviatedNumber} because it doesn't follow the required format: a number optionally with a decimal, followed by an optional magnitude suffix ('k', 'm', 'b', 't').`)
     return null
   }
 
   const suffixFactors = { k: 1e3, m: 1e6, b: 1e9, t: 1e12 }
   const factor = suffixFactors[suffix?.toLowerCase()] ?? 1
-  return Number(number) * factor
+  return number * factor
 }
 
 export function normalizeVersion (version) {
-  const [match, major, minor = '0', patch = '0', suffix = ''] = versionRegex.exec(version) ?? []
-  if (match) {
-    return [major, minor, patch].map(Number).join('.') + suffix
+  let suffix = ''
+
+  const index = version.search(/[+-]/)
+  if (index !== -1) {
+    suffix = version.substring(index)
+    version = version.substring(0, index)
+  }
+
+  const parts = version.split('.')
+  if (!parts.every(part => /^\d+$/.test(part))) {
+    return
   }
+  const [major, minor = '0', patch = '0'] = parts
+  return [major, minor, patch].map(Number).join('.') + suffix
 }
 
 export default {
diff --git a/frontend/src/utils/shoot.js b/frontend/src/utils/shoot.js
index 8c2eaf8828..bbc7685315 100644
--- a/frontend/src/utils/shoot.js
+++ b/frontend/src/utils/shoot.js
@@ -224,7 +224,8 @@ export function getDefaultNetworkConfigurationForAllZones (numberOfZones, infras
     case 'aws': {
       const zoneNetworksAws = splitCIDR(workerCIDR, numberOfZones)
       return map(range(numberOfZones), index => {
-        const bigNetWorks = splitCIDR(zoneNetworksAws[index], 2)
+        const zoneNetwork = zoneNetworksAws[index] // eslint-disable-line security/detect-object-injection
+        const bigNetWorks = splitCIDR(zoneNetwork, 2)
         const workerNetwork = bigNetWorks[0]
         const smallNetworks = splitCIDR(bigNetWorks[1], 2)
         const publicNetwork = smallNetworks[0]
@@ -239,8 +240,9 @@ export function getDefaultNetworkConfigurationForAllZones (numberOfZones, infras
     case 'alicloud': {
       const zoneNetworksAli = splitCIDR(workerCIDR, numberOfZones)
       return map(range(numberOfZones), index => {
+        const zoneNetwork = zoneNetworksAli[index] // eslint-disable-line security/detect-object-injection
         return {
-          workers: zoneNetworksAli[index],
+          workers: zoneNetwork,
         }
       })
     }
@@ -253,9 +255,10 @@ export function getDefaultZonesNetworkConfiguration (zones, infrastructureKind,
     return undefined
   }
   return map(zones, (zone, index) => {
+    const zoneConfiguration = zoneConfigurations[index] // eslint-disable-line security/detect-object-injection
     return {
       name: zone,
-      ...zoneConfigurations[index],
+      ...zoneConfiguration,
     }
   })
 }
diff --git a/frontend/src/utils/validators.js b/frontend/src/utils/validators.js
index 2413ee2011..ae38328ff7 100644
--- a/frontend/src/utils/validators.js
+++ b/frontend/src/utils/validators.js
@@ -5,12 +5,16 @@
 //
 
 import { helpers } from '@vuelidate/validators'
+import { Base64 } from 'js-base64'
 
-import { includes } from '@/lodash'
+import {
+  get,
+  set,
+  includes,
+} from '@/lodash'
 
 const { withParams, regex, withMessage } = helpers
 
-const base64Pattern = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
 const alphaNumUnderscorePattern = /^\w+$/
 const alphaNumUnderscoreHyphenPattern = /^[a-zA-Z0-9-_]+$/
 const lowerCaseAlphaNumHyphenPattern = /^[-a-z0-9]*$/
@@ -19,7 +23,9 @@ const startEndHyphenPattern = /^-.*.|.*-$/
 const numberOrPercentagePattern = /^[\d]+[%]?$/
 export const timezonePattern = /^([+-])(\d{2}):(\d{2})$/
 
-const base64 = withMessage('Must be a valid base64 string', regex(base64Pattern))
+const base64 = withMessage('Must be a valid base64 string', value => {
+  return Base64.isValid(value)
+})
 const alphaNumUnderscore = withMessage('Must contain only alphanumeric characters and underscore', regex(alphaNumUnderscorePattern))
 const lowerCaseAlphaNumHyphen = withMessage('Must contain only lowercase alphanumeric characters or hyphen', regex(lowerCaseAlphaNumHyphenPattern))
 const noConsecutiveHyphen = withMessage('Must not contain consecutive hyphens', value => {
@@ -66,7 +72,7 @@ const includesIfAvailable = (key, reference) => withMessage(`Value of property '
   withParams(
     { type: 'includesIfAvailable', key },
     function includesIfAvailable (selectedKeys) {
-      const availableKeys = this[reference]
+      const availableKeys = get(this, [reference])
       return includes(availableKeys, key) ? includes(selectedKeys, key) : true
     },
   ))
@@ -76,7 +82,7 @@ const withFieldName = (fieldName, validators) => {
     if (typeof fieldName === 'function') {
       fieldName = fieldName.call(this)
     }
-    validators[key] = withParams({ fieldName }, validator)
+    set(validators, [key], withParams({ fieldName }, validator))
   }
   return validators
 }
diff --git a/frontend/src/views/GAdministration.vue b/frontend/src/views/GAdministration.vue
index 78fd14c4d2..ae077131b8 100644
--- a/frontend/src/views/GAdministration.vue
+++ b/frontend/src/views/GAdministration.vue
@@ -609,7 +609,7 @@ const userList = computed(() => {
 })
 const isValidCostObject = withMessage(
   costObjectErrorMessage.value,
-  helpers.regex(new RegExp(costObjectRegex.value)),
+  helpers.regex(costObjectRegex.value),
 )
 const costObjectRules = computed(() => ({ costObject: isValidCostObject }))
 const ownerRules = computed(() => {
diff --git a/frontend/src/views/GSecrets.vue b/frontend/src/views/GSecrets.vue
index 2669a24403..e872292a49 100644
--- a/frontend/src/views/GSecrets.vue
+++ b/frontend/src/views/GSecrets.vue
@@ -580,7 +580,7 @@ export default {
         case 'infrastructure':
           return `${item.infrastructureName} ${item.cloudProfileName}`
         default:
-          return item[column]
+          return get(item, [column])
       }
     },
     disableCustomKeySort (tableHeaders) {
diff --git a/packages/kube-client/__tests__/cache.informer.test.js b/packages/kube-client/__tests__/cache.informer.test.js
index 97f7a52c70..b810ddf3a2 100644
--- a/packages/kube-client/__tests__/cache.informer.test.js
+++ b/packages/kube-client/__tests__/cache.informer.test.js
@@ -7,7 +7,6 @@
 'use strict'
 
 const { Informer, ListWatcher, Store, Reflector } = require('../lib/cache')
-const { getOwnSymbolProperty } = fixtures.helper
 const { Foo } = fixtures.resources
 
 describe('kube-client', () => {
@@ -34,12 +33,12 @@ describe('kube-client', () => {
         listFunc = jest.fn()
         watchFunc = jest.fn()
         listWatcher = new ListWatcher(listFunc, watchFunc, Foo)
-        informer = Informer.create(listWatcher, { keyPath: 'uid' })
+        informer = Informer.createTestingInformer(listWatcher, { keyPath: 'uid' })
         informer.emit = jest.fn()
-        internalAbortController = getOwnSymbolProperty(informer, 'abortController')
+        internalAbortController = informer.abortController
         internalAbortController.abort = jest.fn()
-        store = getOwnSymbolProperty(informer, 'store')
-        reflector = getOwnSymbolProperty(informer, 'reflector')
+        store = informer.store
+        reflector = informer.reflector
         reflector.run = jest.fn()
       })
 
diff --git a/packages/kube-client/__tests__/util.test.js b/packages/kube-client/__tests__/util.test.js
new file mode 100644
index 0000000000..cde2512b18
--- /dev/null
+++ b/packages/kube-client/__tests__/util.test.js
@@ -0,0 +1,33 @@
+//
+// SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+'use strict'
+
+const { setPatchType, PatchType } = require('../lib/util')
+
+describe('kube-client', () => {
+  describe('util', () => {
+    describe('#setPatchType', () => {
+      let options
+
+      beforeEach(() => {
+        options = {}
+      })
+
+      it('should set the MERGE patch type', async () => {
+        expect(setPatchType(options, PatchType.MERGE)).toEqual({
+          headers: {
+            'content-type': 'application/merge-patch+json'
+          }
+        })
+      })
+
+      it('should throw an error for invalid patch types', () => {
+        expect(() => setPatchType(options, 'invalid')).toThrow(TypeError)
+      })
+    })
+  })
+})
diff --git a/packages/kube-client/lib/Client.js b/packages/kube-client/lib/Client.js
index 2036a0b898..b2bc05a8d4 100644
--- a/packages/kube-client/lib/Client.js
+++ b/packages/kube-client/lib/Client.js
@@ -17,11 +17,11 @@ const nonResourceEndpoints = require('./nonResourceEndpoints')
 
 const { fromKubeconfig, parseKubeconfig } = require('@gardener-dashboard/kube-config')
 
-const kClientConfig = Symbol('kClientConfig')
-
 class Client {
+  #clientConfig
+
   constructor (clientConfig, options) {
-    this[kClientConfig] = clientConfig
+    this.#clientConfig = clientConfig
     // add hooks for logging
     options = debug.attach(options)
     // assign grouped resources (e.g. core.)
@@ -31,9 +31,9 @@ class Client {
   }
 
   get cluster () {
-    const server = this[kClientConfig].url
-    const certificateAuthority = this[kClientConfig].ca
-    const insecureSkipTlsVerify = !this[kClientConfig].rejectUnauthorized
+    const server = this.#clientConfig.url
+    const certificateAuthority = this.#clientConfig.ca
+    const insecureSkipTlsVerify = !this.#clientConfig.rejectUnauthorized
     return {
       server: new URL(server),
       certificateAuthority,
diff --git a/packages/kube-client/lib/cache/Informer.js b/packages/kube-client/lib/cache/Informer.js
index e43dc91d1c..5a633eeb21 100644
--- a/packages/kube-client/lib/cache/Informer.js
+++ b/packages/kube-client/lib/cache/Informer.js
@@ -10,17 +10,16 @@ const EventEmitter = require('events')
 const Reflector = require('./Reflector')
 const Store = require('./Store')
 
-const kReflector = Symbol('reflector')
-const kAbortController = Symbol('abortController')
-const kStore = Symbol('store')
-
 class Informer extends EventEmitter {
+  #reflector
+  #abortController = new AbortController()
+  #store
+
   constructor (listWatcher, { keyPath } = {}) {
     super()
-    this[kAbortController] = new AbortController()
-    const store = this[kStore] = new Store({ keyPath })
+    const store = this.#store = new Store({ keyPath })
     const emitter = this
-    this[kReflector] = Reflector.create(listWatcher, {
+    this.#reflector = Reflector.create(listWatcher, {
       replace (items, resourceVersion) {
         const events = new Map()
         for (const key of store.listKeys()) {
@@ -65,35 +64,56 @@ class Informer extends EventEmitter {
   }
 
   get names () {
-    return this[kReflector].names
+    return this.#reflector.names
   }
 
   get store () {
-    return this[kStore]
+    return this.#store
   }
 
   get hasSynced () {
-    return this[kStore].hasSynced
+    return this.#store.hasSynced
   }
 
   get lastSyncResourceVersion () {
-    return this[kReflector].lastSyncResourceVersion
+    return this.#reflector.lastSyncResourceVersion
   }
 
   abort () {
-    this[kAbortController].abort()
+    this.#abortController.abort()
   }
 
   run (signal) {
     if (signal instanceof AbortSignal) {
       signal.addEventListener('abort', () => this.abort(), { once: true })
     }
-    this[kReflector].run(this[kAbortController].signal)
+    this.#reflector.run(this.#abortController.signal)
   }
 
   static create (...args) {
     return new this(...args)
   }
+
+  static createTestingInformer (...args) {
+    const informer = new this(...args)
+    return Object.defineProperties(informer, {
+      reflector: {
+        get () {
+          return informer.#reflector
+        }
+      },
+      store: {
+        get () {
+          return informer.#store
+        }
+      },
+      abortController: {
+        get () {
+          return informer.#abortController
+        }
+      }
+    })
+  }
 }
 
 module.exports = Informer
diff --git a/packages/kube-client/lib/cache/Store.js b/packages/kube-client/lib/cache/Store.js
index 19e3b6ffa5..5b8b6dbcba 100644
--- a/packages/kube-client/lib/cache/Store.js
+++ b/packages/kube-client/lib/cache/Store.js
@@ -8,56 +8,56 @@
 
 const { get, matches, matchesProperty, property, isPlainObject } = require('lodash')
 
-const kMap = Symbol('map')
-const kKeyPath = Symbol('keyPath')
-const kKeyFunc = Symbol('keyFunc')
-const kHasSynced = Symbol('hasSynced')
-const kResolve = Symbol('resolve')
-
 class Store {
-  constructor ({ keyPath = 'metadata.uid' } = {}) {
-    this[kMap] = new Map()
-    this[kKeyPath] = keyPath
-    this[kHasSynced] = false
+  #map = new Map()
+  #keyPath = 'metadata.uid'
+  #hasSynced = false
+  #resolve = undefined
+
+  constructor (options) {
+    this.#map = new Map()
+    if (options?.keyPath) {
+      this.#keyPath = options.keyPath
+    }
     const untilHasSynced = new Promise(resolve => {
-      this[kResolve] = () => {
-        this[kHasSynced] = true
+      this.#resolve = () => {
+        this.#hasSynced = true
         resolve()
       }
     })
     Reflect.defineProperty(this, 'untilHasSynced', { value: untilHasSynced })
   }
 
-  [kKeyFunc] (object) {
-    return get(object, this[kKeyPath])
+  #keyFunc (object) {
+    return get(object, this.#keyPath)
   }
 
   get hasSynced () {
-    return this[kHasSynced]
+    return this.#hasSynced
   }
 
   listKeys () {
-    return Array.from(this[kMap].keys())
+    return Array.from(this.#map.keys())
   }
 
   list () {
-    return Array.from(this[kMap].values())
+    return Array.from(this.#map.values())
   }
 
   clear () {
-    this[kMap].clear()
+    this.#map.clear()
   }
 
   getKey (object) {
-    return this[kKeyFunc](object)
+    return this.#keyFunc(object)
   }
 
   getByKey (key) {
-    return this[kMap].get(key)
+    return this.#map.get(key)
   }
 
   get (object) {
-    const key = this[kKeyFunc](object)
+    const key = this.#keyFunc(object)
     return this.getByKey(key)
   }
 
@@ -71,7 +71,7 @@ class Store {
     } else if (typeof predicate !== 'function') {
       throw new TypeError('Invalid predicate argument')
     }
-    for (const object of this[kMap].values()) {
+    for (const object of this.#map.values()) {
       if (predicate(object)) {
         return object
       }
@@ -79,17 +79,17 @@ class Store {
   }
 
   hasByKey (key) {
-    return this[kMap].has(key)
+    return this.#map.has(key)
   }
 
   has (object) {
-    const key = this[kKeyFunc](object)
+    const key = this.#keyFunc(object)
     return this.hasByKey(key)
   }
 
   set (object) {
-    const key = this[kKeyFunc](object)
-    this[kMap].set(key, object)
+    const key = this.#keyFunc(object)
+    this.#map.set(key, object)
   }
 
   add (object) {
@@ -101,23 +101,23 @@ class Store {
   }
 
   deleteByKey (key) {
-    this[kMap].delete(key)
+    this.#map.delete(key)
   }
 
   delete (object) {
-    const key = this[kKeyFunc](object)
-    this[kMap].delete(key)
+    const key = this.#keyFunc(object)
+    this.#map.delete(key)
   }
 
   replace (items) {
     this.clear()
     for (const object of items) {
-      const key = this[kKeyFunc](object)
-      this[kMap].set(key, object)
+      const key = this.#keyFunc(object)
+      this.#map.set(key, object)
     }
-    if (this[kResolve]) {
-      this[kResolve]()
-      this[kResolve] = undefined
+    if (this.#resolve) {
+      this.#resolve()
+      this.#resolve = undefined
     }
   }
 }
diff --git a/packages/kube-client/lib/debug.js b/packages/kube-client/lib/debug.js
index 19f82e8edb..f3a2ba98ab 100644
--- a/packages/kube-client/lib/debug.js
+++ b/packages/kube-client/lib/debug.js
@@ -98,7 +98,7 @@ function getUser ({ headers, key, cert }) {
 
 function beforeRequest (options) {
   const { url, method, headers, body } = options
-  options[xRequestStart] = Date.now()
+  options[xRequestStart] = Date.now() // eslint-disable-line security/detect-object-injection
   if (!('x-request-id' in headers)) {
     headers['x-request-id'] = xRequestId.next()
   }
diff --git a/packages/kube-client/lib/resources/index.js b/packages/kube-client/lib/resources/index.js
index dc5bf8fd9f..52d2243d65 100644
--- a/packages/kube-client/lib/resources/index.js
+++ b/packages/kube-client/lib/resources/index.js
@@ -16,7 +16,7 @@ const resourceGroups = _
   .value()
 
 function loadGroup ({ name }) {
-  const resources = require(`./${name}`)
+  const resources = require(`./${name}`) // eslint-disable-line security/detect-non-literal-require
   return _.mapKeys(resources, 'names.plural')
 }
 
diff --git a/packages/kube-client/lib/util.js b/packages/kube-client/lib/util.js
index d4586befa4..0708be9089 100644
--- a/packages/kube-client/lib/util.js
+++ b/packages/kube-client/lib/util.js
@@ -8,6 +8,7 @@
 
 const http2 = require('http2')
 const path = require('path')
+const _ = require('lodash')
 
 const {
   HTTP2_HEADER_CONTENT_TYPE
@@ -23,16 +24,8 @@ function decodeBase64 (value) {
   return Buffer.from(value, 'base64').toString('utf8')
 }
 
-function setHeader (options, key, value) {
-  if (!options.headers) {
-    options.headers = {}
-  }
-  options.headers[key] = value
-  return options
-}
-
 function setContentType (options, value) {
-  return setHeader(options, HTTP2_HEADER_CONTENT_TYPE, value)
+  return _.set(options, ['headers', HTTP2_HEADER_CONTENT_TYPE], value)
 }
 
 function setPatchType (options, type = PatchType.MERGE) {
@@ -80,7 +73,6 @@ function validateLabelValue (name) {
 
 exports = module.exports = {
   decodeBase64,
-  setHeader,
   setContentType,
   PatchType,
   setPatchType,
diff --git a/packages/kube-client/package.json b/packages/kube-client/package.json
index c2e0419436..a1684ac89b 100644
--- a/packages/kube-client/package.json
+++ b/packages/kube-client/package.json
@@ -42,6 +42,7 @@
     "eslint-plugin-jest": "^26.9.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "express": "^4.18.3",
     "jest": "^29.7.0"
   },
@@ -55,6 +56,7 @@
     ],
     "extends": [
       "standard",
+      "plugin:security/recommended-legacy",
       "plugin:jest/recommended"
     ],
     "globals": {
@@ -62,7 +64,21 @@
     },
     "rules": {
       "no-console": "error"
-    }
+    },
+    "overrides": [
+      {
+        "files": [
+          "**/__fixtures__/**",
+          "**/__mocks__/**",
+          "**/__tests__/**",
+          "jest.setup.js"
+        ],
+        "rules": {
+          "security/detect-object-injection": "off",
+          "security/detect-non-literal-require": "off"
+        }
+      }
+    ]
   },
   "jest": {
     "restoreMocks": true,
@@ -79,7 +95,7 @@
     "coverageThreshold": {
       "global": {
         "branches": 73,
-        "functions": 98,
+        "functions": 97,
         "lines": 94,
         "statements": 94
       }
diff --git a/packages/kube-config/__tests__/kube-config.test.js b/packages/kube-config/__tests__/kube-config.test.js
index 34effc261d..8fbb1b3e6a 100644
--- a/packages/kube-config/__tests__/kube-config.test.js
+++ b/packages/kube-config/__tests__/kube-config.test.js
@@ -103,7 +103,7 @@ describe('kube-config', () => {
         KUBECONFIG: '/path/to/kube/config:/path/to/another/kube/config'
       })
       expect(fs.readFileSync).toHaveBeenCalledTimes(1)
-      expect(fs.readFileSync.mock.calls[0]).toEqual(['/path/to/kube/config'])
+      expect(fs.readFileSync.mock.calls[0]).toEqual(['/path/to/kube/config', 'utf8'])
       expect(config).toEqual({
         url: server.origin,
         ca,
diff --git a/packages/kube-config/lib/ClientConfig.js b/packages/kube-config/lib/ClientConfig.js
index 99e69dbb5e..782fe9f3c9 100644
--- a/packages/kube-config/lib/ClientConfig.js
+++ b/packages/kube-config/lib/ClientConfig.js
@@ -25,7 +25,7 @@ function getCluster ({ currentCluster }, files) {
       cluster.certificateAuthority = base64Decode(caData)
     } else if (caFile) {
       files.set(caFile, 'certificateAuthority')
-      cluster.certificateAuthority = fs.readFileSync(caFile, 'utf8')
+      cluster.certificateAuthority = fs.readFileSync(caFile, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
     }
     if (typeof insecureSkipTlsVerify === 'boolean') {
       cluster.insecureSkipTlsVerify = insecureSkipTlsVerify
@@ -55,14 +55,14 @@ function getUser ({ currentUser }, files) {
       user.clientKey = base64Decode(keyData)
     } else if (certFile && keyFile) {
       files.set(certFile, 'clientCert')
-      user.clientCert = fs.readFileSync(certFile, 'utf8')
+      user.clientCert = fs.readFileSync(certFile, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
       files.set(keyFile, 'clientKey')
-      user.clientKey = fs.readFileSync(keyFile, 'utf8')
+      user.clientKey = fs.readFileSync(keyFile, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
     } else if (token) {
       user.token = token
     } else if (tokenFile) {
       files.set(tokenFile, 'token')
-      user.token = fs.readFileSync(tokenFile, 'utf8')
+      user.token = fs.readFileSync(tokenFile, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
     } else if (username && password) {
       user.username = username
       user.password = password
@@ -168,10 +168,19 @@ class ClientConfig {
       const watcher = new Watcher(Array.from(files.keys()), options)
       watcher.run((path, value) => {
         const key = files.get(path)
-        if (['certificateAuthority'].includes(key)) {
-          cluster[key] = value
-        } else if (['clientKey', 'clientCert', 'token'].includes(key)) {
-          user[key] = value
+        switch (key) {
+          case 'certificateAuthority':
+            cluster.certificateAuthority = value
+            break
+          case 'clientKey':
+            user.clientKey = value
+            break
+          case 'clientCert':
+            user.clientCert = value
+            break
+          case 'token':
+            user.token = value
+            break
         }
         watcher.emit(`update:${key}`)
       })
diff --git a/packages/kube-config/lib/index.js b/packages/kube-config/lib/index.js
index b0dcc1641e..acd9a7842d 100644
--- a/packages/kube-config/lib/index.js
+++ b/packages/kube-config/lib/index.js
@@ -29,10 +29,13 @@ function readKubeconfig (filename) {
     filename = filename.shift()
   }
   const dirname = path.dirname(filename)
-  const kubeconfig = yaml.load(fs.readFileSync(filename))
+  const kubeconfig = yaml.load(
+    fs.readFileSync(filename, 'utf8') // eslint-disable-line security/detect-non-literal-fs-filename
+  )
   const resolvePath = (object, key) => {
-    if (object[key]) {
-      object[key] = path.resolve(dirname, object[key])
+    const value = object[key] // eslint-disable-line security/detect-object-injection
+    if (value) {
+      object[key] = path.resolve(dirname, value) // eslint-disable-line security/detect-object-injection
     }
   }
   for (const { cluster } of kubeconfig.clusters) {
diff --git a/packages/kube-config/package.json b/packages/kube-config/package.json
index 55ac452d6b..cabb43e94e 100644
--- a/packages/kube-config/package.json
+++ b/packages/kube-config/package.json
@@ -38,6 +38,7 @@
     "eslint-plugin-jest": "^26.9.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "jest": "^29.7.0"
   },
   "eslintConfig": {
@@ -50,6 +51,7 @@
     ],
     "extends": [
       "standard",
+      "plugin:security/recommended-legacy",
       "plugin:jest/recommended"
     ],
     "globals": {
@@ -57,7 +59,20 @@
     },
     "rules": {
       "no-console": "error"
-    }
+    },
+    "overrides": [
+      {
+        "files": [
+          "**/__fixtures__/**",
+          "**/__mocks__/**",
+          "**/__tests__/**",
+          "jest.setup.js"
+        ],
+        "rules": {
+          "security/detect-non-literal-fs-filename": "off"
+        }
+      }
+    ]
   },
   "jest": {
     "restoreMocks": true,
diff --git a/packages/logger/lib/Logger.js b/packages/logger/lib/Logger.js
index e6bcb469b2..f9789473eb 100644
--- a/packages/logger/lib/Logger.js
+++ b/packages/logger/lib/Logger.js
@@ -40,7 +40,7 @@ class Logger {
 
   setLogLevel (value) {
     if (Reflect.has(LEVELS, value)) {
-      this.logLevel = LEVELS[value]
+      this.logLevel = LEVELS[value] // eslint-disable-line security/detect-object-injection
     }
   }
 
diff --git a/packages/logger/package.json b/packages/logger/package.json
index 3f3ba48353..40c900d260 100644
--- a/packages/logger/package.json
+++ b/packages/logger/package.json
@@ -33,6 +33,7 @@
     "eslint-plugin-jest": "^26.9.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "jest": "^29.7.0",
     "jest-date-mock": "^1.0.8"
   },
@@ -46,6 +47,7 @@
     ],
     "extends": [
       "standard",
+      "plugin:security/recommended-legacy",
       "plugin:jest/recommended"
     ],
     "globals": {},
diff --git a/packages/monitor/package.json b/packages/monitor/package.json
index 0686083b62..ef24aa5679 100644
--- a/packages/monitor/package.json
+++ b/packages/monitor/package.json
@@ -37,6 +37,7 @@
     "eslint-plugin-jest": "^26.9.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "jest": "^29.7.0",
     "supertest": "^7.0.0"
   },
@@ -50,6 +51,7 @@
     ],
     "extends": [
       "standard",
+      "plugin:security/recommended-legacy",
       "plugin:jest/recommended"
     ],
     "globals": {
@@ -58,7 +60,20 @@
     },
     "rules": {
       "no-console": "error"
-    }
+    },
+    "overrides": [
+      {
+        "files": [
+          "**/__fixtures__/**",
+          "**/__mocks__/**",
+          "**/__tests__/**",
+          "jest.setup.js"
+        ],
+        "rules": {
+          "security/detect-object-injection": "off"
+        }
+      }
+    ]
   },
   "jest": {
     "restoreMocks": true,
diff --git a/packages/request/lib/Client.js b/packages/request/lib/Client.js
index bc4e303ccc..7728c97d66 100644
--- a/packages/request/lib/Client.js
+++ b/packages/request/lib/Client.js
@@ -32,6 +32,14 @@ const {
   HTTP2_HEADER_CONTENT_ENCODING
 } = http2.constants
 
+function getHeader (headers, key) {
+  return headers[key] // eslint-disable-line security/detect-object-injection
+}
+
+function setHeader (headers, key, value) {
+  headers[key] = value // eslint-disable-line security/detect-object-injection
+}
+
 const EOL = '\n'
 
 class Client {
@@ -73,10 +81,10 @@ class Client {
     const headers = { ...this.#options.headers }
     const { bearer, user, pass } = this.#options.auth || {}
     if (bearer) {
-      headers[HTTP2_HEADER_AUTHORIZATION] = `Bearer ${bearer}`
+      setHeader(headers, HTTP2_HEADER_AUTHORIZATION, `Bearer ${bearer}`)
     } else if (user && pass) {
       const credentials = Buffer.from(user + ':' + pass, 'utf8').toString('base64')
-      headers[HTTP2_HEADER_AUTHORIZATION] = `Basic ${credentials}`
+      setHeader(headers, HTTP2_HEADER_AUTHORIZATION, `Basic ${credentials}`)
     }
     return headers
   }
@@ -108,11 +116,16 @@ class Client {
     }
   }
 
+  get #hooksMap () {
+    const hooks = this.#options.hooks ?? {}
+    return new Map(Object.entries(hooks))
+  }
+
   executeHooks (name, ...args) {
-    const hooks = this.#options.hooks || {}
     try {
-      if (Array.isArray(hooks[name])) {
-        for (const hook of hooks[name]) {
+      const hooks = this.#hooksMap.get(name)
+      if (Array.isArray(hooks)) {
+        for (const hook of hooks) {
           hook(...args)
         }
       }
@@ -159,8 +172,8 @@ class Client {
 
     // beforeRequest hooks
     const requestOptions = {
-      url: new URL(headers[HTTP2_HEADER_PATH], this.baseUrl.origin),
-      method: headers[HTTP2_HEADER_METHOD],
+      url: new URL(getHeader(headers, HTTP2_HEADER_PATH), this.baseUrl.origin),
+      method: getHeader(headers, HTTP2_HEADER_METHOD),
       headers,
       body,
       ...options
@@ -180,13 +193,13 @@ class Client {
     const { createDecompressor, concat, transformFactory } = this.constructor
 
     headers = await stream.getHeaders()
-    const decompressor = createDecompressor(headers[HTTP2_HEADER_CONTENT_ENCODING])
+    const decompressor = createDecompressor(getHeader(headers, HTTP2_HEADER_CONTENT_ENCODING))
 
     return {
       request: { options: requestOptions },
       headers,
       get statusCode () {
-        return this.headers[HTTP2_HEADER_STATUS]
+        return getHeader(this.headers, HTTP2_HEADER_STATUS)
       },
       get ok () {
         return this.statusCode >= 200 && this.statusCode < 300
@@ -195,10 +208,10 @@ class Client {
         return this.statusCode >= 300 && this.statusCode < 400
       },
       get contentType () {
-        return this.headers[HTTP2_HEADER_CONTENT_TYPE]
+        return getHeader(this.headers, HTTP2_HEADER_CONTENT_TYPE)
       },
       get contentLength () {
-        return this.headers[HTTP2_HEADER_CONTENT_LENGTH]
+        return getHeader(this.headers, HTTP2_HEADER_CONTENT_LENGTH)
       },
       get type () {
         if (['json', 'text'].includes(responseType)) {
@@ -293,8 +306,8 @@ class Client {
     headers = this.constructor.normalizeHeaders(headers)
     if (json) {
       body = JSON.stringify(json)
-      if (!headers[HTTP2_HEADER_CONTENT_TYPE]) {
-        headers[HTTP2_HEADER_CONTENT_TYPE] = 'application/json'
+      if (!getHeader(headers, HTTP2_HEADER_CONTENT_TYPE)) {
+        setHeader(headers, HTTP2_HEADER_CONTENT_TYPE, 'application/json')
       }
     }
     const response = await this.fetch(path, { headers, body, ...options })
@@ -307,7 +320,7 @@ class Client {
       headers,
       httpVersion: '2',
       statusCode,
-      statusMessage: http.STATUS_CODES[statusCode],
+      statusMessage: http.STATUS_CODES[statusCode], // eslint-disable-line security/detect-object-injection
       body,
       request: response.request
     }
diff --git a/packages/request/lib/Semaphore.js b/packages/request/lib/Semaphore.js
index 97fda8bff6..bd6a16e058 100644
--- a/packages/request/lib/Semaphore.js
+++ b/packages/request/lib/Semaphore.js
@@ -6,23 +6,28 @@
 
 'use strict'
 
-const kMaxConcurrency = Symbol('maxConcurrency')
 const kReleased = Symbol('released')
 
+function setReleased (obj, value) {
+  obj[kReleased] = value // eslint-disable-line security/detect-object-injection
+}
+
 class Semaphore {
+  #maxConcurrency = 0
+
   constructor (maxConcurrency = 100) {
-    this[kMaxConcurrency] = maxConcurrency
+    this.#maxConcurrency = maxConcurrency
     this.concurrency = 0
     this.queue = []
   }
 
   set maxConcurrency (value) {
-    this[kMaxConcurrency] = value
+    this.#maxConcurrency = value
     this.dispatch()
   }
 
   get maxConcurrency () {
-    return this[kMaxConcurrency]
+    return this.#maxConcurrency
   }
 
   get value () {
@@ -31,7 +36,7 @@ class Semaphore {
 
   acquire () {
     const ticket = new Promise(resolve => {
-      resolve[kReleased] = false
+      setReleased(resolve, false)
       this.queue.push(resolve)
     })
     this.dispatch()
@@ -43,8 +48,9 @@ class Semaphore {
       const resolve = this.queue.shift()
       this.concurrency++
       const releaser = () => {
-        if (!resolve[kReleased]) {
-          resolve[kReleased] = true
+        const { [kReleased]: released } = resolve
+        if (!released) {
+          setReleased(resolve, true)
           this.concurrency--
           this.dispatch()
         }
diff --git a/packages/request/lib/SessionId.js b/packages/request/lib/SessionId.js
index 2d29179279..bafee726db 100644
--- a/packages/request/lib/SessionId.js
+++ b/packages/request/lib/SessionId.js
@@ -7,38 +7,43 @@
 'use strict'
 
 const crypto = require('crypto')
+const { get, set } = require('lodash')
 
 const kOptions = Symbol('options')
 
 class SessionId extends URL {
   constructor (authority, options = {}) {
     super(createPath(options), authority)
-    this[kOptions] = options
+    this[kOptions] = options // eslint-disable-line security/detect-object-injection
   }
 
   getOptions () {
-    return this[kOptions]
+    return this[kOptions] // eslint-disable-line security/detect-object-injection
   }
 }
 
 function normalizeObject (object) {
   const normalizedObject = {}
   for (const key of Object.keys(object).sort()) {
-    const value = object[key]
+    const value = get(object, [key])
+    let normalizedValue
     switch (typeof value) {
       case 'string':
       case 'number':
       case 'boolean':
-        normalizedObject[key] = value
+        normalizedValue = value
         break
       case 'object':
         if (value) {
-          normalizedObject[key] = normalizeObject(value)
+          normalizedValue = normalizeObject(value)
         }
         break
       case 'undefined':
         break
     }
+    if (typeof normalizedValue !== 'undefined') {
+      set(normalizedObject, [key], normalizedValue)
+    }
   }
   return normalizedObject
 }
diff --git a/packages/request/lib/SessionPool.js b/packages/request/lib/SessionPool.js
index 966a1fb52a..36ba189622 100644
--- a/packages/request/lib/SessionPool.js
+++ b/packages/request/lib/SessionPool.js
@@ -20,10 +20,33 @@ const {
 } = http2.constants
 
 const kSemaphore = Symbol('semaphore')
-const kTimestamp = Symbol('timestamp')
 const kTimeoutId = Symbol('timeoutId')
 const kIntervalId = Symbol('intervalId')
 
+function setSemaphore (session, value) {
+  session[kSemaphore] = value // eslint-disable-line security/detect-object-injection
+}
+
+function setTimeoutId (session, value) {
+  session[kTimeoutId] = value // eslint-disable-line security/detect-object-injection
+}
+
+function setIntervalId (session, value) {
+  session[kIntervalId] = value // eslint-disable-line security/detect-object-injection
+}
+
+class Timer {
+  #timestamp
+
+  constructor () {
+    this.#timestamp = Date.now()
+  }
+
+  duration () {
+    return Date.now() - this.#timestamp
+  }
+}
+
 class SessionPool {
   constructor (id) {
     this.id = id
@@ -94,7 +117,7 @@ class SessionPool {
 
   async request (headers, options) {
     const session = this.getSession()
-    const semaphore = session[kSemaphore]
+    const { [kSemaphore]: semaphore } = session
     const [release, concurrency] = await semaphore.acquire()
     logger.trace('Session %s - stream aquired (%d/%d)', this.id, concurrency, semaphore.maxConcurrency)
     const releaseStream = () => {
@@ -128,7 +151,8 @@ class SessionPool {
         stream.once('close', () => {
           logger.trace('Session %s - stream %d closed', this.id, stream.id || -1)
           releaseStream()
-          if (session[kSemaphore].value >= session[kSemaphore].maxConcurrency) {
+          const { [kSemaphore]: semaphore } = session
+          if (semaphore.value >= semaphore.maxConcurrency) {
             this.setSessionTimeout(session)
           }
           if (!settled) {
@@ -155,13 +179,14 @@ class SessionPool {
 
   setSessionTimeout (session) {
     this.clearSessionTimeout(session)
-    session[kTimeoutId] = setTimeout(() => session.close(), this.keepAliveTimeout)
+    setTimeoutId(session, setTimeout(() => session.close(), this.keepAliveTimeout))
   }
 
   clearSessionTimeout (session) {
-    if (session[kTimeoutId]) {
-      clearTimeout(session[kTimeoutId])
-      session[kTimeoutId] = undefined
+    const { [kTimeoutId]: timeoutId } = session
+    if (timeoutId) {
+      clearTimeout(timeoutId)
+      setTimeoutId(session, undefined)
     }
   }
 
@@ -190,13 +215,14 @@ class SessionPool {
       }
     }
     logger.debug('Session %s - starting heartbeat with %ds ping interval', this.id, Math.floor(this.pingInterval / 1000))
-    session[kIntervalId] = setInterval(ping, this.pingInterval)
+    setIntervalId(session, setInterval(ping, this.pingInterval))
   }
 
   clearSessionHeartbeat (session) {
-    if (session[kIntervalId]) {
-      clearInterval(session[kIntervalId])
-      session[kIntervalId] = undefined
+    const { [kIntervalId]: intervalId } = session
+    if (intervalId) {
+      clearInterval(intervalId)
+      setIntervalId(session, undefined)
     }
   }
 
@@ -209,26 +235,25 @@ class SessionPool {
       session: this.tlsSession
     })
     const session = http2.connect(origin, options)
-    session[kTimestamp] = Date.now()
-    session[kSemaphore] = new Semaphore(this.peerMaxConcurrentStreams)
+    const timer = new Timer()
+    setSemaphore(session, new Semaphore(this.peerMaxConcurrentStreams))
     // add session
     this.sessions.add(session)
     logger.debug('Session %s - pool size is %d (scaled up)', this.id, this.sessions.size)
-    // get session duration
-    const duration = () => Date.now() - session[kTimestamp]
     // tls session can be used for resumption
     session.socket.once('session', session => {
-      logger.debug('Session %s - received tls session after %d ms', this.id, duration())
+      logger.debug('Session %s - received tls session after %d ms', this.id, timer.duration())
       this.tlsSession = session
     })
     // update maxConcurrency of semaphore
     const setMaxConcurrency = settings => {
-      const oldValue = session[kSemaphore].maxConcurrency
+      const { [kSemaphore]: semaphore } = session
+      const oldValue = semaphore.maxConcurrency
       const newValue = settings.maxConcurrentStreams
       if (oldValue !== newValue) {
         const change = oldValue < newValue ? 'increased' : 'creased'
         logger.debug('Session %s - maximum concurrency %s to %d', this.id, change, newValue)
-        session[kSemaphore].maxConcurrency = newValue
+        semaphore.maxConcurrency = newValue
       }
     }
     // handle connect timeout
@@ -247,7 +272,7 @@ class SessionPool {
     })
     // handle connect
     session.once('connect', () => {
-      logger.debug('Session %s - connected after %d ms', this.id, duration())
+      logger.debug('Session %s - connected after %d ms', this.id, timer.duration())
       clearTimeout(timeoutId)
       session.removeAllListeners('error')
       session.on('error', err => {
@@ -255,7 +280,7 @@ class SessionPool {
         this.tlsSession = undefined
       })
       session.once('close', () => {
-        logger.info('Session %s - closed after %d ms', this.id, duration())
+        logger.info('Session %s - closed after %d ms', this.id, timer.duration())
         this.deleteSession(session)
       })
       setMaxConcurrency(session.remoteSettings)
diff --git a/packages/request/lib/errors.js b/packages/request/lib/errors.js
index 0463bd912a..7bba698868 100644
--- a/packages/request/lib/errors.js
+++ b/packages/request/lib/errors.js
@@ -8,6 +8,7 @@
 
 const http = require('http')
 const createError = require('http-errors')
+const { get } = require('lodash')
 
 class TimeoutError extends Error {
   constructor (message) {
@@ -43,7 +44,18 @@ function isAbortError (err = {}) {
   return err.code === 'ABORT_ERR'
 }
 
-function createHttpError ({ statusCode = 500, statusMessage = http.STATUS_CODES[statusCode], response, headers, body }) {
+function getDefaultStatusMessage (statusCode) {
+  return get(http.STATUS_CODES, [statusCode])
+}
+
+function createHttpError (options) {
+  const {
+    statusCode = 500,
+    statusMessage = getDefaultStatusMessage(statusCode),
+    response,
+    headers,
+    body
+  } = options
   const properties = { statusMessage }
   if (headers) {
     properties.headers = { ...headers }
diff --git a/packages/request/package.json b/packages/request/package.json
index 5b05245952..3e0eb63121 100644
--- a/packages/request/package.json
+++ b/packages/request/package.json
@@ -38,6 +38,7 @@
     "eslint-plugin-jest": "^26.9.0",
     "eslint-plugin-n": "^15.7.0",
     "eslint-plugin-promise": "^6.6.0",
+    "eslint-plugin-security": "^3.0.1",
     "jest": "^29.7.0"
   },
   "eslintConfig": {
@@ -50,6 +51,7 @@
     ],
     "extends": [
       "standard",
+      "plugin:security/recommended-legacy",
       "plugin:jest/recommended"
     ],
     "globals": {
@@ -57,7 +59,20 @@
     },
     "rules": {
       "no-console": "error"
-    }
+    },
+    "overrides": [
+      {
+        "files": [
+          "**/__fixtures__/**",
+          "**/__mocks__/**",
+          "**/__tests__/**",
+          "jest.setup.js"
+        ],
+        "rules": {
+          "security/detect-object-injection": "off"
+        }
+      }
+    ]
   },
   "jest": {
     "restoreMocks": true,
diff --git a/yarn.lock b/yarn.lock
index c9a5fbda65..011340f18a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -749,6 +749,7 @@ __metadata:
     eslint-plugin-jest: "npm:^26.9.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     express: "npm:^4.18.3"
     express-static-gzip: "npm:^2.1.7"
     fast-json-patch: "npm:^3.1.1"
@@ -828,6 +829,7 @@ __metadata:
     eslint-plugin-import-newlines: "npm:^1.4.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     eslint-plugin-vitest: "npm:^0.4.0"
     eslint-plugin-vue: "npm:^9.23.0"
     eventemitter3: "npm:^5.0.1"
@@ -882,6 +884,7 @@ __metadata:
     eslint-plugin-jest: "npm:^26.9.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     express: "npm:^4.18.3"
     http-errors: "npm:^2.0.0"
     jest: "npm:^29.7.0"
@@ -905,6 +908,7 @@ __metadata:
     eslint-plugin-jest: "npm:^26.9.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     gtoken: "npm:^7.1.0"
     jest: "npm:^29.7.0"
     js-yaml: "npm:^4.1.0"
@@ -923,6 +927,7 @@ __metadata:
     eslint-plugin-jest: "npm:^26.9.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     jest: "npm:^29.7.0"
     jest-date-mock: "npm:^1.0.8"
   languageName: unknown
@@ -939,6 +944,7 @@ __metadata:
     eslint-plugin-jest: "npm:^26.9.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     express: "npm:^4.18.3"
     http-errors: "npm:^2.0.0"
     jest: "npm:^29.7.0"
@@ -961,6 +967,7 @@ __metadata:
     eslint-plugin-jest: "npm:^26.9.0"
     eslint-plugin-n: "npm:^15.7.0"
     eslint-plugin-promise: "npm:^6.6.0"
+    eslint-plugin-security: "npm:^3.0.1"
     http-errors: "npm:^2.0.0"
     jest: "npm:^29.7.0"
     lodash: "npm:^4.17.21"
@@ -4501,6 +4508,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"eslint-plugin-security@npm:^3.0.1":
+  version: 3.0.1
+  resolution: "eslint-plugin-security@npm:3.0.1"
+  dependencies:
+    safe-regex: "npm:^2.1.1"
+  checksum: 10c0/6b85feabe389b73e0a5961abfeac79214d61699249c990c9a66628a5e45870b49f1ab0be63223dfd75c4046ff9632f42a963790616f66e2c6d59b6c24643c5e0
+  languageName: node
+  linkType: hard
+
 "eslint-plugin-vitest@npm:^0.4.0":
   version: 0.4.1
   resolution: "eslint-plugin-vitest@npm:0.4.1"
@@ -8185,6 +8201,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"regexp-tree@npm:~0.1.1":
+  version: 0.1.27
+  resolution: "regexp-tree@npm:0.1.27"
+  bin:
+    regexp-tree: bin/regexp-tree
+  checksum: 10c0/f636f44b4a0d93d7d6926585ecd81f63e4ce2ac895bc417b2ead0874cd36b337dcc3d0fedc63f69bf5aaeaa4340f36ca7e750c9687cceaf8087374e5284e843c
+  languageName: node
+  linkType: hard
+
 "regexp.prototype.flags@npm:^1.5.2":
   version: 1.5.2
   resolution: "regexp.prototype.flags@npm:1.5.2"
@@ -8483,6 +8508,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"safe-regex@npm:^2.1.1":
+  version: 2.1.1
+  resolution: "safe-regex@npm:2.1.1"
+  dependencies:
+    regexp-tree: "npm:~0.1.1"
+  checksum: 10c0/53eb5d3ecf4b3c0954dff465eb179af4d2f5f77f74ba7b57489adbc4fa44454c3d391f37379cd28722d9ac6fa5b70be3f4645d4bd25df395fd99b934f6ec9265
+  languageName: node
+  linkType: hard
+
 "safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0":
   version: 2.1.2
   resolution: "safer-buffer@npm:2.1.2"