diff --git a/.changeset/fix-npmjs-audit-endpoint.md b/.changeset/fix-npmjs-audit-endpoint.md new file mode 100644 index 0000000000..884bbf2fe2 --- /dev/null +++ b/.changeset/fix-npmjs-audit-endpoint.md @@ -0,0 +1,29 @@ +--- +"@pnpm/deps.compliance.audit": major +"@pnpm/deps.compliance.commands": major +"@pnpm/types": major +"pnpm": major +--- + +`pnpm audit` now calls npm's `/-/npm/v1/security/advisories/bulk` endpoint. The legacy `/-/npm/v1/security/audits{,/quick}` endpoints have been retired by the registry, so the legacy request/response contract is no longer supported. + +The new endpoint returns only `id`, `url`, `title`, `severity`, `vulnerable_versions`, and `cwe` per advisory. Everything else is computed locally: + +- `findings[].paths` are computed by walking the lockfile and matching `vulnerable_versions` via semver. +- `metadata.vulnerabilities` counts advisories per severity. +- `metadata.dependencies`, `devDependencies`, `optionalDependencies`, and `totalDependencies` are computed from the lockfile. +- `patched_versions` is inferred from `vulnerable_versions` for the common `` / `pnpm audit --ignore-unfixable` now read and write GHSAs instead of CVEs +- GHSAs are derived from each advisory's `url` (`https://github.com/advisories/GHSA-xxxx-xxxx-xxxx`) + +To migrate: replace each `CVE-YYYY-NNNNN` entry in your `auditConfig.ignoreCves` with the corresponding `GHSA-xxxx-xxxx-xxxx` value (visible in the `More info` column of `pnpm audit` output) and move it under `auditConfig.ignoreGhsas`. diff --git a/config/reader/src/Config.ts b/config/reader/src/Config.ts index 8e8ff24e21..f0bcfb8cc6 100644 --- a/config/reader/src/Config.ts +++ b/config/reader/src/Config.ts @@ -255,7 +255,7 @@ export interface Config extends OptionsFromRootManifest { trustPolicy?: TrustPolicy trustPolicyExclude?: string[] trustPolicyIgnoreAfter?: number - auditLevel?: 'low' | 'moderate' | 'high' | 'critical' + auditLevel?: 'info' | 'low' | 'moderate' | 'high' | 'critical' packageConfigs?: ProjectConfigSet } diff --git a/core/types/src/misc.ts b/core/types/src/misc.ts index 14a32971d8..7495bc9e9e 100644 --- a/core/types/src/misc.ts +++ b/core/types/src/misc.ts @@ -98,6 +98,7 @@ export interface PackageVulnerability { } export type VulnerabilitySeverity = + | 'info' | 'low' | 'moderate' | 'high' diff --git a/core/types/src/package.ts b/core/types/src/package.ts index 32238bc405..15722402f4 100644 --- a/core/types/src/package.ts +++ b/core/types/src/package.ts @@ -165,7 +165,6 @@ export type ConfigDependencies = Record export interface AuditConfig { - ignoreCves?: string[] ignoreGhsas?: string[] } diff --git a/deps/compliance/audit/package.json b/deps/compliance/audit/package.json index 16f49474ee..34240c4afa 100644 --- a/deps/compliance/audit/package.json +++ b/deps/compliance/audit/package.json @@ -32,6 +32,7 @@ ".test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" jest" }, "dependencies": { + "@pnpm/deps.path": "workspace:*", "@pnpm/error": "workspace:*", "@pnpm/fetching.types": "workspace:*", "@pnpm/lockfile.detect-dep-types": "workspace:*", @@ -41,8 +42,7 @@ "@pnpm/lockfile.walker": "workspace:*", "@pnpm/network.fetch": "workspace:*", "@pnpm/types": "workspace:*", - "@pnpm/workspace.project-manifest-reader": "workspace:*", - "ramda": "catalog:" + "semver": "catalog:" }, "peerDependencies": { "@pnpm/logger": "catalog:" @@ -53,7 +53,7 @@ "@pnpm/logger": "workspace:*", "@pnpm/test-fixtures": "workspace:*", "@pnpm/testing.mock-agent": "workspace:*", - "@types/ramda": "catalog:" + "@types/semver": "catalog:" }, "engines": { "node": ">=22.13" diff --git a/deps/compliance/audit/src/index.ts b/deps/compliance/audit/src/index.ts index 1a3fb997fe..81dbdd91d9 100644 --- a/deps/compliance/audit/src/index.ts +++ b/deps/compliance/audit/src/index.ts @@ -1,14 +1,40 @@ import { PnpmError } from '@pnpm/error' import type { GetAuthHeader } from '@pnpm/fetching.types' +import { detectDepTypes } from '@pnpm/lockfile.detect-dep-types' import type { EnvLockfile, LockfileObject } from '@pnpm/lockfile.types' import { type DispatcherOptions, fetchWithDispatcher, type RetryTimeoutOptions } from '@pnpm/network.fetch' import type { DependenciesField } from '@pnpm/types' +import semver from 'semver' -import { lockfileToAuditTree } from './lockfileToAuditTree.js' -import type { AuditReport } from './types.js' +import { + type AuditIndexRequest, + type AuditPathIndex, + buildAuditPathIndex, + collectOptionalOnlyDepPaths, + lockfileToAuditRequest, + type PathInfo, +} from './lockfileToAuditIndex.js' +import type { AuditAdvisory, AuditFinding, AuditLevelString, AuditReport, AuditVulnerabilityCounts } from './types.js' +export type { AuditIndexRequest, AuditPathIndex, PathInfo } from './lockfileToAuditIndex.js' +export { buildAuditPathIndex, lockfileToAuditRequest } from './lockfileToAuditIndex.js' export * from './types.js' +// The shape of a single advisory as returned by npm's /advisories/bulk +// endpoint. The two AuditAdvisory fields not populated directly from this +// are derived from it: github_advisory_id from `url` and patched_versions +// from `vulnerable_versions`. findings are built from the lockfile walk. +interface BulkAdvisory { + id: number + url?: string + title?: string + severity: AuditLevelString + vulnerable_versions: string + cwe?: string | string[] +} + +type BulkAdvisoriesResponse = Record + export async function audit ( lockfile: LockfileObject, getAuthHeader: GetAuthHeader, @@ -16,48 +42,183 @@ export async function audit ( dispatcherOptions?: DispatcherOptions envLockfile?: EnvLockfile | null include?: { [dependenciesField in DependenciesField]: boolean } - lockfileDir: string registry: string retry?: RetryTimeoutOptions timeout?: number - virtualStoreDirMaxLength: number } ): Promise { - const auditTree = await lockfileToAuditTree(lockfile, { envLockfile: opts.envLockfile, include: opts.include, lockfileDir: opts.lockfileDir }) + const depTypes = detectDepTypes(lockfile) + const optionalOnly = collectOptionalOnlyDepPaths(lockfile, opts.include) + const auditRequest = lockfileToAuditRequest(lockfile, { envLockfile: opts.envLockfile, include: opts.include, depTypes, optionalOnly }) const registry = opts.registry.endsWith('/') ? opts.registry : `${opts.registry}/` - const auditUrl = `${registry}-/npm/v1/security/audits` - const quickAuditUrl = `${registry}-/npm/v1/security/audits/quick` + const auditUrl = `${registry}-/npm/v1/security/advisories/bulk` const authHeaderValue = getAuthHeader(registry) - const requestBody = JSON.stringify(auditTree) const requestHeaders = { 'Content-Type': 'application/json', ...getAuthHeaders(authHeaderValue), } - const requestOptions = { + + const res = await fetchWithDispatcher(auditUrl, { dispatcherOptions: opts.dispatcherOptions ?? {}, - body: requestBody, + body: JSON.stringify(auditRequest.request), headers: requestHeaders, method: 'POST', retry: opts.retry, timeout: opts.timeout, - } + }) - const quickRes = await fetchWithDispatcher(quickAuditUrl, requestOptions) - - if (quickRes.status === 200) { - return (quickRes.json() as Promise) - } - - const res = await fetchWithDispatcher(auditUrl, requestOptions) if (res.status === 200) { - return (res.json() as Promise) + const rawBody = await res.text() + let body: unknown + try { + body = JSON.parse(rawBody) + } catch (err: unknown) { + const reason = err instanceof Error ? err.message : String(err) + throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${auditUrl}) returned invalid JSON: ${reason}. Response body: ${rawBody.slice(0, 500)}`) + } + if (!isBulkResponseShape(body)) { + throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${auditUrl}) returned an unexpected body. Expected an object keyed by package name; got: ${JSON.stringify(body)?.slice(0, 500) ?? String(body)}`) + } + const vulnerableNames = new Set(Object.keys(body)) + let auditPathIndex: AuditPathIndex = {} + if (vulnerableNames.size > 0) { + auditPathIndex = buildAuditPathIndex(lockfile, vulnerableNames, { envLockfile: opts.envLockfile, include: opts.include, depTypes, optionalOnly }) + } + return bulkResponseToAuditReport(body, auditRequest, auditPathIndex) } - if (quickRes.status === 404 && res.status === 404) { - throw new AuditEndpointNotExistsError(quickAuditUrl) + if (res.status === 404) { + throw new AuditEndpointNotExistsError(auditUrl) } - throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${quickAuditUrl}) responded with ${quickRes.status}: ${await quickRes.text()}. Fallback endpoint (at ${auditUrl}) responded with ${res.status}: ${await res.text()}`) + throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${auditUrl}) responded with ${res.status}: ${await res.text()}`) +} + +function bulkResponseToAuditReport (bulk: BulkAdvisoriesResponse, auditRequest: AuditIndexRequest, auditPathIndex: AuditPathIndex): AuditReport { + // Null-prototype map — the id comes from the registry and could be anything. + const advisories: Record = Object.create(null) + const vulnerabilities: AuditVulnerabilityCounts = { info: 0, low: 0, moderate: 0, high: 0, critical: 0 } + + for (const [moduleName, packageAdvisories] of Object.entries(bulk)) { + const byVersion = auditPathIndex[moduleName] + for (const adv of packageAdvisories) { + // Guard against registry-supplied values that could corrupt the report: + // only accept finite numeric ids and severities from the known set. + if (typeof adv.id !== 'number' || !Number.isFinite(adv.id)) continue + if (!isKnownSeverity(adv.severity)) continue + const findings = buildFindings(adv, byVersion) + // If no installed version is vulnerable, skip the advisory entirely so + // we don't report false positives for packages the lockfile doesn't use. + if (findings.length === 0) continue + advisories[String(adv.id)] = normalizeAdvisory(adv, moduleName, findings) + // npm's audit report counts one vulnerability per advisory in the metadata summary + // when using the bulk endpoint format pnpm expects. + vulnerabilities[adv.severity] += 1 + } + } + + return { + advisories, + metadata: { + vulnerabilities, + dependencies: auditRequest.dependencies, + devDependencies: auditRequest.devDependencies, + optionalDependencies: auditRequest.optionalDependencies, + totalDependencies: auditRequest.totalDependencies, + }, + } +} + +function buildFindings (adv: BulkAdvisory, byVersion: Map | undefined): AuditFinding[] { + if (byVersion == null) return [] + const findings: AuditFinding[] = [] + for (const [version, info] of byVersion) { + if (satisfiesSafe(version, adv.vulnerable_versions)) { + findings.push({ + version, + paths: info.paths, + dev: info.dev, + optional: info.optional, + bundled: false, + }) + } + } + return findings +} + +const KNOWN_SEVERITIES: ReadonlySet = new Set(['info', 'low', 'moderate', 'high', 'critical']) + +function isKnownSeverity (severity: unknown): severity is AuditLevelString { + return typeof severity === 'string' && KNOWN_SEVERITIES.has(severity as AuditLevelString) +} + +function isBulkResponseShape (body: unknown): body is BulkAdvisoriesResponse { + if (typeof body !== 'object' || body === null || Array.isArray(body)) return false + // Every value must be an array of advisory objects; a null or scalar value + // would crash `for (const adv of packageAdvisories)` downstream. + return Object.values(body).every((packageAdvisories) => + Array.isArray(packageAdvisories) && packageAdvisories.every((advisory) => + typeof advisory === 'object' && advisory !== null && !Array.isArray(advisory) && + typeof (advisory as { vulnerable_versions?: unknown }).vulnerable_versions === 'string' + ) + ) +} + +function satisfiesSafe (version: string, range: string): boolean { + try { + return semver.satisfies(version, range, { includePrerelease: true, loose: true }) + } catch { + return false + } +} + +function normalizeAdvisory (adv: BulkAdvisory, moduleName: string, findings: AuditFinding[]): AuditAdvisory { + const cwe = Array.isArray(adv.cwe) ? adv.cwe.join(', ') : adv.cwe + return { + findings, + id: adv.id, + title: adv.title ?? '', + module_name: moduleName, + vulnerable_versions: adv.vulnerable_versions, + patched_versions: inferPatchedVersions(adv.vulnerable_versions), + severity: adv.severity, + cwe: cwe ?? '', + github_advisory_id: deriveGithubAdvisoryId(adv.url), + url: adv.url ?? '', + } +} + +function inferPatchedVersions (vulnerableRange: string): string | undefined { + // Matches `=0.8.1 <0.28.0`. Returns undefined if the range doesn't have a + // recognizable upper bound — callers must not confuse that with "no fix". + const trimmed = vulnerableRange.trim() + const ltMatch = trimmed.match(/(?:^|\s)<\s*(\d+\.\d+\.\d[\w\-.+]*)\s*$/) + if (ltMatch) return `>=${ltMatch[1]}` + const lteMatch = trimmed.match(/(?:^|\s)<=\s*(\d+\.\d+\.\d[\w\-.+]*)\s*$/) + if (lteMatch) { + const next = semver.inc(lteMatch[1], 'patch') + if (next) return `>=${next}` + } + return undefined +} + +function deriveGithubAdvisoryId (url: string | undefined): string { + if (!url) return '' + const match = url.match(/\/(GHSA-[\w-]+)/i) + return match ? normalizeGhsaId(match[1]) : '' +} + +// GHSA identifiers are canonically written with an uppercase `GHSA-` prefix +// and a lowercase hexadecimal-style suffix (e.g. `GHSA-cph5-m8f7-6c5x`). +// Normalize both halves so ignore-list comparisons don't depend on how the +// user (or the advisory url) happens to case the id. +export function normalizeGhsaId (ghsaId: string): string { + const trimmed = ghsaId.trim() + const dash = trimmed.indexOf('-') + if (dash < 0) return trimmed.toUpperCase() + return trimmed.slice(0, dash).toUpperCase() + trimmed.slice(dash).toLowerCase() } interface AuthHeaders { @@ -74,7 +235,7 @@ function getAuthHeaders (authHeaderValue: string | undefined): AuthHeaders { export class AuditEndpointNotExistsError extends PnpmError { constructor (endpoint: string) { - const message = `The audit endpoint (at ${endpoint}) is doesn't exist.` + const message = `The audit endpoint (at ${endpoint}) doesn't exist.` super( 'AUDIT_ENDPOINT_NOT_EXISTS', message, diff --git a/deps/compliance/audit/src/lockfileToAuditIndex.ts b/deps/compliance/audit/src/lockfileToAuditIndex.ts new file mode 100644 index 0000000000..e16c862349 --- /dev/null +++ b/deps/compliance/audit/src/lockfileToAuditIndex.ts @@ -0,0 +1,346 @@ +import * as dp from '@pnpm/deps.path' +import { DepType, type DepTypes, detectDepTypes } from '@pnpm/lockfile.detect-dep-types' +import { convertToLockfileObject } from '@pnpm/lockfile.fs' +import type { EnvLockfile, LockfileObject, ResolvedDependencies } from '@pnpm/lockfile.types' +import { nameVerFromPkgSnapshot } from '@pnpm/lockfile.utils' +import { lockfileWalkerGroupImporterSteps, type LockfileWalkerStep } from '@pnpm/lockfile.walker' +import type { DependenciesField, DepPath, ProjectId } from '@pnpm/types' + +export interface PathInfo { + paths: string[] + dev: boolean + optional: boolean +} + +// Versions installed per package name, keyed by version. +export type AuditPathIndex = Record> + +export interface AuditIndexRequest { + // Flat map suitable as the POST body for `/advisories/bulk`. + request: Record + totalDependencies: number + // Production dependencies: neither dev-only nor optional-only. Kept as a + // distinct counter because devOnly and optionalOnly aren't mutually + // exclusive — a (name, version) can be both — so `total - dev - optional` + // would double-subtract those entries. + dependencies: number + devDependencies: number + optionalDependencies: number +} + +export interface AuditIndexOptions { + envLockfile?: EnvLockfile | null + include?: { [dependenciesField in DependenciesField]: boolean } + // Pre-computed dep types. Callers that also call buildAuditPathIndex on the + // same lockfile can share this to avoid walking the lockfile twice. + depTypes?: DepTypes + // Pre-computed optional-only depPaths for the main lockfile. Shared between + // lockfileToAuditRequest and buildAuditPathIndex when both are called. + optionalOnly?: Set +} + +export function lockfileToAuditRequest ( + lockfile: LockfileObject, + opts: AuditIndexOptions +): AuditIndexRequest { + const importerIds = Object.keys(lockfile.importers) as ProjectId[] + const importerWalkers = lockfileWalkerGroupImporterSteps(lockfile, importerIds, { include: opts.include }) + const depTypes = opts.depTypes ?? detectDepTypes(lockfile) + const optionalOnly = opts.optionalOnly ?? collectOptionalOnlyDepPaths(lockfile, opts.include) + + // Use null-prototype objects for records keyed by package names so a + // hostile or unusual package name (e.g. "__proto__") cannot pollute the + // prototype or overwrite inherited properties. + const request: Record = Object.create(null) + // Per (name, version) classification. Counted as dev/optional only while + // every observed occurrence is dev-only / optional-only; once a non-dev or + // non-optional occurrence is seen, the flag is cleared and the counter + // decremented. + const versionStatesByName: Record> = Object.create(null) + let totalDependencies = 0 + let dependencies = 0 + let devDependencies = 0 + let optionalDependencies = 0 + + const registerOccurrence = (o: { name: string, version: string, devOnly: boolean, optionalOnly: boolean }): void => { + let versionStates = versionStatesByName[o.name] + if (!versionStates) { + versionStates = new Map() + versionStatesByName[o.name] = versionStates + request[o.name] = [] + } + const state = versionStates.get(o.version) + if (!state) { + versionStates.set(o.version, { devOnly: o.devOnly, optionalOnly: o.optionalOnly }) + request[o.name].push(o.version) + totalDependencies++ + if (o.devOnly) devDependencies++ + if (o.optionalOnly) optionalDependencies++ + if (!o.devOnly && !o.optionalOnly) dependencies++ + return + } + const wasProduction = !state.devOnly && !state.optionalOnly + if (state.devOnly && !o.devOnly) { + state.devOnly = false + devDependencies-- + } + if (state.optionalOnly && !o.optionalOnly) { + state.optionalOnly = false + optionalDependencies-- + } + if (!wasProduction && !state.devOnly && !state.optionalOnly) { + dependencies++ + } + } + + // Build a visitor for one lockfile graph. The walker already de-duplicates + // by depPath internally, so we don't need a second visited set here. + const makeVisitor = (graphDepTypes: DepTypes, graphOptionalOnly: Set) => { + const visit = (step: LockfileWalkerStep): void => { + for (const { depPath, pkgSnapshot, next } of step.dependencies) { + const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot) + if (version) { + registerOccurrence({ + name, + version, + devOnly: graphDepTypes[depPath] === DepType.DevOnly, + optionalOnly: graphOptionalOnly.has(depPath), + }) + } + visit(next()) + } + } + return visit + } + + const visitMain = makeVisitor(depTypes, optionalOnly) + for (const importerWalker of importerWalkers) { + visitMain(importerWalker.step) + } + if (opts.envLockfile) { + const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile) + const envDepTypes = detectDepTypes(envLockfileObject) + const envOptionalOnly = collectOptionalOnlyDepPaths(envLockfileObject, opts.include) + const visitEnv = makeVisitor(envDepTypes, envOptionalOnly) + for (const { step } of lockfileWalkerGroupImporterSteps(envLockfileObject, Object.keys(envLockfileObject.importers) as ProjectId[], { include: opts.include })) { + visitEnv(step) + } + } + + return { request, totalDependencies, dependencies, devDependencies, optionalDependencies } +} + +export function buildAuditPathIndex ( + lockfile: LockfileObject, + vulnerableNames: Set, + opts: AuditIndexOptions +): AuditPathIndex { + // Null-prototype record keyed by package name to avoid prototype pollution + // from registry-supplied or lockfile-supplied names. + const paths: AuditPathIndex = Object.create(null) + const depTypes = opts.depTypes ?? detectDepTypes(lockfile) + const optionalOnly = opts.optionalOnly ?? collectOptionalOnlyDepPaths(lockfile, opts.include) + + walkForPaths({ + lockfile, + vulnerableNames, + paths, + depTypes, + optionalOnly, + include: opts.include, + importerSegmentOf: (importerId) => importerId.replace(/\//g, '__'), + }) + + if (opts.envLockfile) { + const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile) + walkForPaths({ + lockfile: envLockfileObject, + vulnerableNames, + paths, + depTypes: detectDepTypes(envLockfileObject), + optionalOnly: collectOptionalOnlyDepPaths(envLockfileObject, opts.include), + include: opts.include, + importerSegmentOf: (importerId) => importerId, + }) + } + + return paths +} + +// Traverse the lockfile graph without the global depPath de-duplication that +// `@pnpm/lockfile.walker` applies. `findings[].paths` is supposed to list every +// distinct install path to a vulnerable package, so a shared transitive +// dependency (e.g. lodash reached via many parents) must contribute one path +// per parent chain, not just the first one the walker encounters. A per-trail +// visited set prevents cycles without suppressing distinct paths. +interface WalkForPathsCtx { + lockfile: LockfileObject + vulnerableNames: Set + paths: AuditPathIndex + depTypes: DepTypes + optionalOnly: Set + include?: AuditIndexOptions['include'] + importerSegmentOf: (importerId: string) => string +} + +function walkForPaths (ctx: WalkForPathsCtx): void { + const { lockfile, vulnerableNames, paths, depTypes, optionalOnly, include, importerSegmentOf } = ctx + const includeDeps = include?.dependencies !== false + const includeDevDeps = include?.devDependencies !== false + const includeOptDeps = include?.optionalDependencies !== false + const packages = lockfile.packages ?? {} + + // Reused across every root to avoid per-node Set cloning. visit adds the + // current depPath before recursing and removes it on the way back, so the + // set always reflects the current trail. + const inTrail = new Set() + const visit = (edge: { name: string, depPath: DepPath }, trail: string[]): void => { + if (inTrail.has(edge.depPath)) return + const pkgSnapshot = packages[edge.depPath] + if (pkgSnapshot == null) return + const { name, version } = nameVerFromPkgSnapshot(edge.depPath, pkgSnapshot) + const resolvedName = name ?? edge.name + const fullPath = [...trail, resolvedName] + if (version && vulnerableNames.has(resolvedName)) { + recordPath(paths, resolvedName, version, fullPath.join('>'), + depTypes[edge.depPath] === DepType.DevOnly, + optionalOnly.has(edge.depPath)) + } + inTrail.add(edge.depPath) + try { + for (const child of resolvedDepsToNamedDepPaths(pkgSnapshot.dependencies ?? {})) { + visit(child, fullPath) + } + if (includeOptDeps) { + for (const child of resolvedDepsToNamedDepPaths(pkgSnapshot.optionalDependencies ?? {})) { + visit(child, fullPath) + } + } + } finally { + inTrail.delete(edge.depPath) + } + } + + for (const [importerId, importer] of Object.entries(lockfile.importers)) { + const trail = [importerSegmentOf(importerId)] + const roots: Array<{ name: string, depPath: DepPath }> = [] + if (includeDeps) roots.push(...resolvedDepsToNamedDepPaths(importer.dependencies ?? {})) + if (includeDevDeps) roots.push(...resolvedDepsToNamedDepPaths(importer.devDependencies ?? {})) + if (includeOptDeps) roots.push(...resolvedDepsToNamedDepPaths(importer.optionalDependencies ?? {})) + for (const root of roots) { + visit(root, trail) + } + } +} + +// Per-(name, version) cap on recorded paths. The CLI only ever displays the +// first few and follows with a "run pnpm why" hint, so keeping tens of +// thousands of equivalent chains is wasted memory/CPU for projects with +// heavy sharing (e.g. diamond dependencies deep in the graph). +const MAX_PATHS_PER_FINDING = 100 + +function recordPath (paths: AuditPathIndex, name: string, version: string, joined: string, isDev: boolean, isOptional: boolean): void { + let byVersion = paths[name] + if (!byVersion) { + byVersion = new Map() + paths[name] = byVersion + } + const info = byVersion.get(version) + if (!info) { + byVersion.set(version, { paths: [joined], dev: isDev, optional: isOptional }) + return + } + if (!isDev) info.dev = false + if (!isOptional) info.optional = false + if (info.paths.length >= MAX_PATHS_PER_FINDING) return + // Dedupe — the same joined trail can be produced when a package appears in + // both `dependencies` and `optionalDependencies` of the same parent, or via + // equivalent peer-suffix variants. + if (info.paths.includes(joined)) return + info.paths.push(joined) +} + +function resolvedDepsToNamedDepPaths (deps: ResolvedDependencies): Array<{ name: string, depPath: DepPath }> { + const result: Array<{ name: string, depPath: DepPath }> = [] + for (const [alias, ref] of Object.entries(deps)) { + const depPath = dp.refToRelative(ref, alias) + if (depPath != null) result.push({ name: alias, depPath }) + } + return result +} + +// Returns the set of depPaths that are reachable only through optional edges +// (i.e. they would be absent from the install set if optionalDependencies were +// not included). Matches the AuditMetadata.optionalDependencies semantic. +// +// Implemented as (reachableWithOptional − reachableWithoutOptional) so that +// optionalDependencies nested inside a required chain are also accounted for, +// not just the ones declared directly on importer.optionalDependencies. +// +// Root selection honours the caller's `include` flags, so running +// `pnpm audit --prod` doesn't let dev-only subgraphs flip a package out of +// "optional-only" classification. +export function collectOptionalOnlyDepPaths ( + lockfile: LockfileObject, + include?: AuditIndexOptions['include'] +): Set { + const includeDeps = include?.dependencies !== false + const includeDevDeps = include?.devDependencies !== false + const includeOptDeps = include?.optionalDependencies !== false + const withoutOptional = new Set() + const withOptional = new Set() + for (const importer of Object.values(lockfile.importers)) { + const nonOptionalRoots = [ + ...(includeDeps ? resolvedDepsToDepPaths(importer.dependencies ?? {}) : []), + ...(includeDevDeps ? resolvedDepsToDepPaths(importer.devDependencies ?? {}) : []), + ] + const allRoots = [ + ...nonOptionalRoots, + ...(includeOptDeps ? resolvedDepsToDepPaths(importer.optionalDependencies ?? {}) : []), + ] + walkReachable(lockfile, nonOptionalRoots, withoutOptional, false) + walkReachable(lockfile, allRoots, withOptional, includeOptDeps) + } + const result = new Set() + for (const depPath of withOptional) { + if (!withoutOptional.has(depPath)) result.add(depPath) + } + return result +} + +function walkReachable (lockfile: LockfileObject, depPaths: DepPath[], seen: Set, includeOptionalEdges: boolean): void { + const packages = lockfile.packages ?? {} + for (const depPath of depPaths) { + if (seen.has(depPath)) continue + seen.add(depPath) + const snapshot = packages[depPath] + if (!snapshot) continue + walkReachable(lockfile, resolvedDepsToDepPaths(snapshot.dependencies ?? {}), seen, includeOptionalEdges) + if (includeOptionalEdges) { + walkReachable(lockfile, resolvedDepsToDepPaths(snapshot.optionalDependencies ?? {}), seen, includeOptionalEdges) + } + } +} + +function resolvedDepsToDepPaths (deps: ResolvedDependencies): DepPath[] { + return Object.entries(deps) + .map(([alias, ref]) => dp.refToRelative(ref, alias)) + .filter((depPath): depPath is DepPath => depPath !== null) +} + +function envLockfileToLockfileObject (envLockfile: EnvLockfile): LockfileObject { + const envImporter = envLockfile.importers['.'] + const importers: Record }> = {} + if (Object.keys(envImporter.configDependencies).length > 0) { + importers['configDependencies'] = { dependencies: envImporter.configDependencies } + } + if (envImporter.packageManagerDependencies) { + importers['packageManagerDependencies'] = { dependencies: envImporter.packageManagerDependencies } + } + return convertToLockfileObject({ + lockfileVersion: envLockfile.lockfileVersion, + importers, + packages: envLockfile.packages, + snapshots: envLockfile.snapshots, + }) +} diff --git a/deps/compliance/audit/src/lockfileToAuditTree.ts b/deps/compliance/audit/src/lockfileToAuditTree.ts deleted file mode 100644 index 98459f1f5e..0000000000 --- a/deps/compliance/audit/src/lockfileToAuditTree.ts +++ /dev/null @@ -1,125 +0,0 @@ -import path from 'node:path' - -import { DepType, type DepTypes, detectDepTypes } from '@pnpm/lockfile.detect-dep-types' -import { convertToLockfileObject } from '@pnpm/lockfile.fs' -import type { EnvLockfile, LockfileObject, TarballResolution } from '@pnpm/lockfile.types' -import { nameVerFromPkgSnapshot } from '@pnpm/lockfile.utils' -import { lockfileWalkerGroupImporterSteps, type LockfileWalkerStep } from '@pnpm/lockfile.walker' -import type { DependenciesField, ProjectId } from '@pnpm/types' -import { safeReadProjectManifestOnly } from '@pnpm/workspace.project-manifest-reader' -import { map as mapValues } from 'ramda' - -export interface AuditNode { - version?: string - integrity?: string - requires?: Record - dependencies?: { [name: string]: AuditNode } - dev: boolean -} - -export interface AuditTree extends AuditNode { - name?: string - install: string[] - remove: string[] - metadata: unknown -} - -export async function lockfileToAuditTree ( - lockfile: LockfileObject, - opts: { - envLockfile?: EnvLockfile | null - include?: { [dependenciesField in DependenciesField]: boolean } - lockfileDir: string - } -): Promise { - const importerWalkers = lockfileWalkerGroupImporterSteps(lockfile, Object.keys(lockfile.importers) as ProjectId[], { include: opts?.include }) - const dependencies: Record = {} - const depTypes = detectDepTypes(lockfile) - await Promise.all( - importerWalkers.map(async (importerWalker) => { - const importerDeps = lockfileToAuditNode(depTypes, importerWalker.step) - // For some reason the registry responds with 500 if the keys in dependencies have slashes - // see issue: https://github.com/pnpm/pnpm/issues/2848 - const depName = importerWalker.importerId.replace(/\//g, '__') - const manifest = await safeReadProjectManifestOnly(path.join(opts.lockfileDir, importerWalker.importerId)) - dependencies[depName] = { - dependencies: importerDeps, - dev: false, - requires: toRequires(importerDeps), - version: manifest?.version ?? '0.0.0', - } - }) - ) - if (opts.envLockfile) { - const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile) - const envDepTypes = detectDepTypes(envLockfileObject) - for (const { importerId, step } of lockfileWalkerGroupImporterSteps(envLockfileObject, Object.keys(envLockfileObject.importers) as ProjectId[], { include: opts.include })) { - const deps = lockfileToAuditNode(envDepTypes, step) - if (Object.keys(deps).length > 0) { - dependencies[importerId] = wrapDepsGroup(deps) - } - } - } - const auditTree: AuditTree = { - name: undefined, - version: undefined, - - dependencies, - dev: false, - install: [], - integrity: undefined, - metadata: {}, - remove: [], - requires: toRequires(dependencies), - } - return auditTree -} - -function lockfileToAuditNode (depTypes: DepTypes, step: LockfileWalkerStep): Record { - const dependencies: Record = {} - for (const { depPath, pkgSnapshot, next } of step.dependencies) { - const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot) - const subdeps = lockfileToAuditNode(depTypes, next()) - const dep: AuditNode = { - dev: depTypes[depPath] === DepType.DevOnly, - integrity: (pkgSnapshot.resolution as TarballResolution).integrity, - version, - } - if (Object.keys(subdeps).length > 0) { - dep.dependencies = subdeps - dep.requires = toRequires(subdeps) - } - dependencies[name] = dep - } - return dependencies -} - -function toRequires (auditNodesByDepName: Record): Record { - return mapValues((auditNode) => auditNode.version!, auditNodesByDepName) -} - -function wrapDepsGroup (deps: Record): AuditNode { - return { - dependencies: deps, - dev: false, - requires: toRequires(deps), - version: '0.0.0', - } -} - -function envLockfileToLockfileObject (envLockfile: EnvLockfile): LockfileObject { - const envImporter = envLockfile.importers['.'] - const importers: Record }> = {} - if (Object.keys(envImporter.configDependencies).length > 0) { - importers['configDependencies'] = { dependencies: envImporter.configDependencies } - } - if (envImporter.packageManagerDependencies) { - importers['packageManagerDependencies'] = { dependencies: envImporter.packageManagerDependencies } - } - return convertToLockfileObject({ - lockfileVersion: envLockfile.lockfileVersion, - importers, - packages: envLockfile.packages, - snapshots: envLockfile.snapshots, - }) -} diff --git a/deps/compliance/audit/src/types.ts b/deps/compliance/audit/src/types.ts index bc6873e573..9046f8f5cc 100644 --- a/deps/compliance/audit/src/types.ts +++ b/deps/compliance/audit/src/types.ts @@ -7,69 +7,37 @@ export interface AuditVulnerabilityCounts { } export interface IgnoredAuditVulnerabilityCounts { + info: number low: number moderate: number high: number critical: number } -export interface AuditResolution { - id: number - path: string +export type AuditLevelString = 'info' | 'low' | 'moderate' | 'high' | 'critical' + +export type AuditLevelNumber = 0 | 1 | 2 | 3 | 4 + +export interface AuditFinding { + version: string + paths: string[] dev: boolean optional: boolean bundled: boolean } -export interface AuditAction { - action: string - module: string - target: string - isMajor: boolean - resolves: AuditResolution[] -} - -export type AuditLevelString = 'low' | 'moderate' | 'high' | 'critical' - -export type AuditLevelNumber = 0 | 1 | 2 | 3 - export interface AuditAdvisory { - findings: [ - { - version: string - paths: string[] - dev: boolean - optional: boolean - bundled: boolean - } - ] + findings: AuditFinding[] id: number - created: string - updated: string - deleted?: boolean title: string - found_by: { - name: string - } - reported_by: { - name: string - } module_name: string - cves: string[] vulnerable_versions: string - patched_versions: string - overview: string - recommendation: string - references: string - access: string + // Inferred from vulnerable_versions. Undefined when inference fails — + // `audit --fix` and `--ignore-unfixable` treat that as "no fix available". + patched_versions?: string severity: AuditLevelString cwe: string github_advisory_id: string - metadata: { - module_type: string - exploitability: number - affected_components: string - } url: string } @@ -82,14 +50,6 @@ export interface AuditMetadata { } export interface AuditReport { - actions: AuditAction[] advisories: { [id: string]: AuditAdvisory } - muted: unknown[] metadata: AuditMetadata } - -export interface AuditActionRecommendation { - cmd: string - isBreaking: boolean - action: AuditAction -} diff --git a/deps/compliance/audit/test/__fixtures__/one-project/package.json b/deps/compliance/audit/test/__fixtures__/one-project/package.json deleted file mode 100644 index cd6c0be32b..0000000000 --- a/deps/compliance/audit/test/__fixtures__/one-project/package.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name": "pkg", - "version": "1.0.0" -} diff --git a/deps/compliance/audit/test/__fixtures__/project-without-version/package.json b/deps/compliance/audit/test/__fixtures__/project-without-version/package.json deleted file mode 100644 index c8a15ebf23..0000000000 --- a/deps/compliance/audit/test/__fixtures__/project-without-version/package.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "name": "pkg" -} diff --git a/deps/compliance/audit/test/index.ts b/deps/compliance/audit/test/index.ts index 341fe12ce8..9f159cc409 100644 --- a/deps/compliance/audit/test/index.ts +++ b/deps/compliance/audit/test/index.ts @@ -1,168 +1,180 @@ import { LOCKFILE_VERSION } from '@pnpm/constants' -import { audit } from '@pnpm/deps.compliance.audit' +import { audit, buildAuditPathIndex, lockfileToAuditRequest } from '@pnpm/deps.compliance.audit' import type { PnpmError } from '@pnpm/error' -import { fixtures } from '@pnpm/test-fixtures' import { getMockAgent, setupMockAgent, teardownMockAgent } from '@pnpm/testing.mock-agent' import type { DepPath, ProjectId } from '@pnpm/types' -import { lockfileToAuditTree } from '../lib/lockfileToAuditTree.js' - -const f = fixtures(import.meta.dirname) - describe('audit', () => { - test('lockfileToAuditTree()', async () => { - expect(await lockfileToAuditTree({ + test('lockfileToAuditRequest() flattens dependencies', () => { + const result = lockfileToAuditRequest({ importers: { ['.' as ProjectId]: { - dependencies: { - foo: '1.0.0', - }, - specifiers: { - foo: '^1.0.0', - }, + dependencies: { foo: '1.0.0' }, + specifiers: { foo: '^1.0.0' }, }, }, lockfileVersion: LOCKFILE_VERSION, packages: { - ['bar@1.0.0' as DepPath]: { - resolution: { - integrity: 'bar-integrity', - }, - }, + ['bar@1.0.0' as DepPath]: { resolution: { integrity: 'bar-integrity' } }, ['foo@1.0.0' as DepPath]: { - dependencies: { - bar: '1.0.0', - }, - resolution: { - integrity: 'foo-integrity', - }, + dependencies: { bar: '1.0.0' }, + resolution: { integrity: 'foo-integrity' }, }, }, - }, { lockfileDir: f.find('one-project') })).toEqual({ - name: undefined, - version: undefined, + }, {}) - dependencies: { - '.': { - dependencies: { - foo: { - dependencies: { - bar: { - dev: false, - integrity: 'bar-integrity', - version: '1.0.0', - }, - }, - dev: false, - integrity: 'foo-integrity', - requires: { - bar: '1.0.0', - }, - version: '1.0.0', - }, - }, - dev: false, - requires: { - foo: '1.0.0', - }, - version: '1.0.0', + expect(result.request).toEqual({ foo: ['1.0.0'], bar: ['1.0.0'] }) + expect(result.totalDependencies).toBe(2) + expect(result.devDependencies).toBe(0) + }) + + test('buildAuditPathIndex() records install paths for vulnerable packages', () => { + const lockfile = { + importers: { + ['.' as ProjectId]: { + dependencies: { foo: '1.0.0' }, + specifiers: { foo: '^1.0.0' }, }, }, + lockfileVersion: LOCKFILE_VERSION, + packages: { + ['bar@1.0.0' as DepPath]: { resolution: { integrity: 'bar-integrity' } }, + ['foo@1.0.0' as DepPath]: { + dependencies: { bar: '1.0.0' }, + resolution: { integrity: 'foo-integrity' }, + }, + }, + } + const result = buildAuditPathIndex(lockfile, new Set(['bar']), {}) + + expect(result['bar']!.get('1.0.0')).toEqual({ paths: ['.>foo>bar'], dev: false, optional: false }) + expect(result['foo']).toBeUndefined() + }) + + test('buildAuditPathIndex() records every distinct install path for shared deps', () => { + // lodash is reachable via two different parent chains. The lockfile walker + // globally dedupes by depPath, so using it directly would record only the + // first-seen chain. buildAuditPathIndex must produce one path per chain. + const lockfile = { + importers: { + ['.' as ProjectId]: { + dependencies: { a: '1.0.0', b: '1.0.0' }, + specifiers: { a: '^1.0.0', b: '^1.0.0' }, + }, + }, + lockfileVersion: LOCKFILE_VERSION, + packages: { + ['a@1.0.0' as DepPath]: { + dependencies: { lodash: '4.0.0' }, + resolution: { integrity: 'a-integrity' }, + }, + ['b@1.0.0' as DepPath]: { + dependencies: { lodash: '4.0.0' }, + resolution: { integrity: 'b-integrity' }, + }, + ['lodash@4.0.0' as DepPath]: { resolution: { integrity: 'lodash-integrity' } }, + }, + } + const result = buildAuditPathIndex(lockfile, new Set(['lodash']), {}) + + const info = result['lodash']!.get('4.0.0')! + expect(info.paths).toHaveLength(2) + expect(info.paths).toEqual(expect.arrayContaining(['.>a>lodash', '.>b>lodash'])) + }) + + test('buildAuditPathIndex() classifies as optional when the only non-optional path runs through an excluded devDependency', () => { + // shared-pkg is reachable two ways: via a devDependency chain (excluded + // when include.devDependencies === false) and via an optionalDependency + // root. With dev excluded, the only remaining path runs through the + // optional edge, so the finding should be flagged as optional. + const lockfile = { + importers: { + ['.' as ProjectId]: { + devDependencies: { 'dev-root': '1.0.0' }, + optionalDependencies: { 'opt-root': '1.0.0' }, + specifiers: { 'dev-root': '^1.0.0', 'opt-root': '^1.0.0' }, + }, + }, + lockfileVersion: LOCKFILE_VERSION, + packages: { + ['dev-root@1.0.0' as DepPath]: { + dependencies: { 'shared-pkg': '1.0.0' }, + resolution: { integrity: 'dev-root-integrity' }, + }, + ['opt-root@1.0.0' as DepPath]: { + dependencies: { 'shared-pkg': '1.0.0' }, + resolution: { integrity: 'opt-root-integrity' }, + }, + ['shared-pkg@1.0.0' as DepPath]: { resolution: { integrity: 'shared-pkg-integrity' } }, + }, + } + + const withDev = buildAuditPathIndex(lockfile, new Set(['shared-pkg']), { + include: { dependencies: true, devDependencies: true, optionalDependencies: true }, + }) + // When the dev chain is in scope the dep is reachable via a non-optional + // path too, so it is NOT optional-only. + expect(withDev['shared-pkg']!.get('1.0.0')!.optional).toBe(false) + + const prodOnly = buildAuditPathIndex(lockfile, new Set(['shared-pkg']), { + include: { dependencies: true, devDependencies: false, optionalDependencies: true }, + }) + // With devDependencies excluded the only remaining way to reach shared-pkg + // is through opt-root, so the dep becomes optional-only. + expect(prodOnly['shared-pkg']!.get('1.0.0')!.optional).toBe(true) + }) + + test('buildAuditPathIndex() flags findings reached only through optional edges', () => { + const lockfile = { + importers: { + ['.' as ProjectId]: { + optionalDependencies: { native: '1.0.0' }, + specifiers: { native: '^1.0.0' }, + }, + }, + lockfileVersion: LOCKFILE_VERSION, + packages: { + ['native@1.0.0' as DepPath]: { resolution: { integrity: 'native-integrity' } }, + }, + } + const result = buildAuditPathIndex(lockfile, new Set(['native']), {}) + + expect(result['native']!.get('1.0.0')).toEqual({ + paths: ['.>native'], dev: false, - install: [], - integrity: undefined, - metadata: {}, - remove: [], - requires: { '.': '1.0.0' }, + optional: true, }) }) - test('lockfileToAuditTree() without specified version should use default version 0.0.0', async () => { - expect(await lockfileToAuditTree({ + test('buildAuditPathIndex() replaces slashes in workspace importer ids', () => { + const lockfile = { importers: { - ['.' as ProjectId]: { - dependencies: { - foo: '1.0.0', - }, - specifiers: { - foo: '^1.0.0', - }, + ['packages/foo' as ProjectId]: { + dependencies: { foo: '1.0.0' }, + specifiers: { foo: '^1.0.0' }, }, }, lockfileVersion: LOCKFILE_VERSION, packages: { - ['bar@1.0.0' as DepPath]: { - resolution: { - integrity: 'bar-integrity', - }, - }, - ['foo@1.0.0' as DepPath]: { - dependencies: { - bar: '1.0.0', - }, - resolution: { - integrity: 'foo-integrity', - }, - }, + ['foo@1.0.0' as DepPath]: { resolution: { integrity: 'foo-integrity' } }, }, - }, { lockfileDir: f.find('project-without-version') })).toEqual({ - name: undefined, - version: undefined, + } + const result = buildAuditPathIndex(lockfile, new Set(['foo']), {}) - dependencies: { - '.': { - dependencies: { - foo: { - dependencies: { - bar: { - dev: false, - integrity: 'bar-integrity', - version: '1.0.0', - }, - }, - dev: false, - integrity: 'foo-integrity', - requires: { - bar: '1.0.0', - }, - version: '1.0.0', - }, - }, - dev: false, - requires: { - foo: '1.0.0', - }, - version: '0.0.0', - }, - }, - dev: false, - install: [], - integrity: undefined, - metadata: {}, - remove: [], - requires: { '.': '0.0.0' }, - }) + expect(result['foo']!.get('1.0.0')!.paths).toEqual(['packages__foo>foo']) }) - test('lockfileToAuditTree() includes env lockfile configDependencies and packageManagerDependencies as separate groups', async () => { - const result = await lockfileToAuditTree({ + test('lockfileToAuditRequest() includes env lockfile configDependencies and packageManagerDependencies', () => { + const result = lockfileToAuditRequest({ importers: { ['.' as ProjectId]: { - dependencies: { - foo: '1.0.0', - }, - specifiers: { - foo: '^1.0.0', - }, + dependencies: { foo: '1.0.0' }, + specifiers: { foo: '^1.0.0' }, }, }, lockfileVersion: LOCKFILE_VERSION, packages: { - ['foo@1.0.0' as DepPath]: { - resolution: { - integrity: 'foo-integrity', - }, - }, + ['foo@1.0.0' as DepPath]: { resolution: { integrity: 'foo-integrity' } }, }, }, { envLockfile: { @@ -170,186 +182,53 @@ describe('audit', () => { importers: { '.': { configDependencies: { - 'my-config': { - specifier: '2.0.0', - version: '2.0.0', - }, + 'my-config': { specifier: '2.0.0', version: '2.0.0' }, }, packageManagerDependencies: { - pnpm: { - specifier: '9.0.0', - version: '9.0.0', - }, + pnpm: { specifier: '9.0.0', version: '9.0.0' }, }, }, }, packages: { - 'my-config@2.0.0': { - resolution: { integrity: 'my-config-integrity' }, - }, - 'config-util@1.0.0': { - resolution: { integrity: 'config-util-integrity' }, - }, - 'pnpm@9.0.0': { - resolution: { integrity: 'pnpm-integrity' }, - }, + 'my-config@2.0.0': { resolution: { integrity: 'my-config-integrity' } }, + 'config-util@1.0.0': { resolution: { integrity: 'config-util-integrity' } }, + 'pnpm@9.0.0': { resolution: { integrity: 'pnpm-integrity' } }, }, snapshots: { - 'my-config@2.0.0': { - dependencies: { - 'config-util': '1.0.0', - }, - }, + 'my-config@2.0.0': { dependencies: { 'config-util': '1.0.0' } }, 'config-util@1.0.0': {}, 'pnpm@9.0.0': {}, }, }, - lockfileDir: f.find('one-project'), }) - expect(result.dependencies).toHaveProperty('configDependencies') - expect(result.dependencies).toHaveProperty('packageManagerDependencies') - - expect(result.dependencies!['configDependencies']).toEqual({ - dev: false, - version: '0.0.0', - dependencies: { - 'my-config': { - dev: false, - integrity: 'my-config-integrity', - version: '2.0.0', - dependencies: { - 'config-util': { - dev: false, - integrity: 'config-util-integrity', - version: '1.0.0', - }, - }, - requires: { - 'config-util': '1.0.0', - }, - }, - }, - requires: { - 'my-config': '2.0.0', - }, - }) - - expect(result.dependencies!['packageManagerDependencies']).toEqual({ - dev: false, - version: '0.0.0', - dependencies: { - pnpm: { - dev: false, - integrity: 'pnpm-integrity', - version: '9.0.0', - }, - }, - requires: { - pnpm: '9.0.0', - }, - }) + expect(result.request['foo']).toEqual(['1.0.0']) + expect(result.request['my-config']).toEqual(['2.0.0']) + expect(result.request['config-util']).toEqual(['1.0.0']) + expect(result.request['pnpm']).toEqual(['9.0.0']) }) - test('lockfileToAuditTree() with env lockfile with only configDependencies omits packageManagerDependencies group', async () => { - const result = await lockfileToAuditTree({ + test('lockfileToAuditRequest() accepts a null envLockfile', () => { + const result = lockfileToAuditRequest({ importers: { ['.' as ProjectId]: { - specifiers: {}, - }, - }, - lockfileVersion: LOCKFILE_VERSION, - }, { - envLockfile: { - lockfileVersion: LOCKFILE_VERSION, - importers: { - '.': { - configDependencies: { - 'my-hook': { - specifier: '1.0.0', - version: '1.0.0', - }, - }, - }, - }, - packages: { - 'my-hook@1.0.0': { - resolution: { integrity: 'my-hook-integrity' }, - }, - }, - snapshots: { - 'my-hook@1.0.0': {}, - }, - }, - lockfileDir: f.find('one-project'), - }) - - expect(result.dependencies).toHaveProperty('configDependencies') - expect(result.dependencies).not.toHaveProperty('packageManagerDependencies') - }) - - test('lockfileToAuditTree() with env lockfile with empty configDependencies and no packageManagerDependencies adds no groups', async () => { - const result = await lockfileToAuditTree({ - importers: { - ['.' as ProjectId]: { - specifiers: {}, - }, - }, - lockfileVersion: LOCKFILE_VERSION, - }, { - envLockfile: { - lockfileVersion: LOCKFILE_VERSION, - importers: { - '.': { - configDependencies: {}, - }, - }, - packages: {}, - snapshots: {}, - }, - lockfileDir: f.find('one-project'), - }) - - expect(result.dependencies).not.toHaveProperty('configDependencies') - expect(result.dependencies).not.toHaveProperty('packageManagerDependencies') - }) - - test('lockfileToAuditTree() with null envLockfile adds no groups', async () => { - const result = await lockfileToAuditTree({ - importers: { - ['.' as ProjectId]: { - dependencies: { - foo: '1.0.0', - }, - specifiers: { - foo: '^1.0.0', - }, + dependencies: { foo: '1.0.0' }, + specifiers: { foo: '^1.0.0' }, }, }, lockfileVersion: LOCKFILE_VERSION, packages: { - ['foo@1.0.0' as DepPath]: { - resolution: { - integrity: 'foo-integrity', - }, - }, + ['foo@1.0.0' as DepPath]: { resolution: { integrity: 'foo-integrity' } }, }, - }, { - envLockfile: null, - lockfileDir: f.find('one-project'), - }) + }, { envLockfile: null }) - expect(result.dependencies).not.toHaveProperty('configDependencies') - expect(result.dependencies).not.toHaveProperty('packageManagerDependencies') - expect(result.dependencies!['.'] ).toBeDefined() + expect(result.request).toEqual({ foo: ['1.0.0'] }) }) - test('lockfileToAuditTree() env lockfile includes optionalDependencies from snapshots', async () => { - const result = await lockfileToAuditTree({ + test('lockfileToAuditRequest() includes optionalDependencies from env snapshots', () => { + const result = lockfileToAuditRequest({ importers: { - ['.' as ProjectId]: { - specifiers: {}, - }, + ['.' as ProjectId]: { specifiers: {} }, }, lockfileVersion: LOCKFILE_VERSION, }, { @@ -358,66 +237,34 @@ describe('audit', () => { importers: { '.': { configDependencies: { - 'my-tool': { - specifier: '1.0.0', - version: '1.0.0', - }, + 'my-tool': { specifier: '1.0.0', version: '1.0.0' }, }, }, }, packages: { - 'my-tool@1.0.0': { - resolution: { integrity: 'my-tool-integrity' }, - }, - 'required-dep@1.0.0': { - resolution: { integrity: 'required-dep-integrity' }, - }, - 'optional-dep@2.0.0': { - resolution: { integrity: 'optional-dep-integrity' }, - }, + 'my-tool@1.0.0': { resolution: { integrity: 'my-tool-integrity' } }, + 'required-dep@1.0.0': { resolution: { integrity: 'required-dep-integrity' } }, + 'optional-dep@2.0.0': { resolution: { integrity: 'optional-dep-integrity' } }, }, snapshots: { 'my-tool@1.0.0': { - dependencies: { - 'required-dep': '1.0.0', - }, - optionalDependencies: { - 'optional-dep': '2.0.0', - }, + dependencies: { 'required-dep': '1.0.0' }, + optionalDependencies: { 'optional-dep': '2.0.0' }, }, 'required-dep@1.0.0': {}, 'optional-dep@2.0.0': {}, }, }, - lockfileDir: f.find('one-project'), }) - const myTool = result.dependencies!['configDependencies']?.dependencies!['my-tool'] - expect(myTool).toBeDefined() - expect(myTool.dependencies).toHaveProperty('required-dep') - expect(myTool.dependencies).toHaveProperty('optional-dep') - expect(myTool.dependencies!['required-dep']).toEqual({ - dev: false, - integrity: 'required-dep-integrity', - version: '1.0.0', - }) - expect(myTool.dependencies!['optional-dep']).toEqual({ - dev: false, - integrity: 'optional-dep-integrity', - version: '2.0.0', - }) - expect(myTool.requires).toEqual({ - 'required-dep': '1.0.0', - 'optional-dep': '2.0.0', - }) + expect(result.request['required-dep']).toEqual(['1.0.0']) + expect(result.request['optional-dep']).toEqual(['2.0.0']) }) - test('lockfileToAuditTree() env lockfile does not include unreachable packages', async () => { - const result = await lockfileToAuditTree({ + test('lockfileToAuditRequest() does not include env packages unreachable from importers', () => { + const result = lockfileToAuditRequest({ importers: { - ['.' as ProjectId]: { - specifiers: {}, - }, + ['.' as ProjectId]: { specifiers: {} }, }, lockfileVersion: LOCKFILE_VERSION, }, { @@ -426,35 +273,23 @@ describe('audit', () => { importers: { '.': { configDependencies: { - 'my-config': { - specifier: '1.0.0', - version: '1.0.0', - }, + 'my-config': { specifier: '1.0.0', version: '1.0.0' }, }, }, }, packages: { - 'my-config@1.0.0': { - resolution: { integrity: 'my-config-integrity' }, - }, - 'orphan-pkg@3.0.0': { - resolution: { integrity: 'orphan-integrity' }, - }, + 'my-config@1.0.0': { resolution: { integrity: 'my-config-integrity' } }, + 'orphan-pkg@3.0.0': { resolution: { integrity: 'orphan-integrity' } }, }, snapshots: { 'my-config@1.0.0': {}, 'orphan-pkg@3.0.0': {}, }, }, - lockfileDir: f.find('one-project'), }) - const configDeps = result.dependencies!['configDependencies'] - expect(configDeps.dependencies).toHaveProperty('my-config') - expect(configDeps.dependencies).not.toHaveProperty('orphan-pkg') - - // Also verify it doesn't appear anywhere in the top-level dependencies - expect(result.dependencies).not.toHaveProperty('orphan-pkg') + expect(result.request).toHaveProperty('my-config') + expect(result.request).not.toHaveProperty('orphan-pkg') }) test('an error is thrown if the audit endpoint responds with a non-OK code', async () => { @@ -462,11 +297,8 @@ describe('audit', () => { const getAuthHeader = () => undefined await setupMockAgent() getMockAgent().get('http://registry.registry') - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(500, { message: 'Something bad happened' }) - getMockAgent().get('http://registry.registry') - .intercept({ path: '/-/npm/v1/security/audits', method: 'POST' }) - .reply(500, { message: 'Fallback failed too' }) try { let err!: PnpmError @@ -477,12 +309,10 @@ describe('audit', () => { }, getAuthHeader, { - lockfileDir: f.find('one-project'), registry, retry: { retries: 0, }, - virtualStoreDirMaxLength: 120, }) } catch (_err: any) { // eslint-disable-line err = _err @@ -490,71 +320,61 @@ describe('audit', () => { expect(err).toBeDefined() expect(err.code).toBe('ERR_PNPM_AUDIT_BAD_RESPONSE') - expect(err.message).toBe('The audit endpoint (at http://registry.registry/-/npm/v1/security/audits/quick) responded with 500: {"message":"Something bad happened"}. Fallback endpoint (at http://registry.registry/-/npm/v1/security/audits) responded with 500: {"message":"Fallback failed too"}') + expect(err.message).toBe('The audit endpoint (at http://registry.registry/-/npm/v1/security/advisories/bulk) responded with 500: {"message":"Something bad happened"}') } finally { await teardownMockAgent() } }) - test('falls back to /audits if /audits/quick fails', async () => { + test('throws AUDIT_BAD_RESPONSE if the registry body is not valid JSON', async () => { const registry = 'http://registry.registry/' const getAuthHeader = () => undefined await setupMockAgent() getMockAgent().get('http://registry.registry') - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) - .reply(500, { message: 'Something bad happened' }) - getMockAgent().get('http://registry.registry') - .intercept({ path: '/-/npm/v1/security/audits', method: 'POST' }) - .reply(200, { - actions: [], - advisories: {}, - metadata: { - dependencies: 0, - devDependencies: 0, - optionalDependencies: 0, - totalDependencies: 0, - vulnerabilities: { - critical: 0, - high: 0, - info: 0, - low: 0, - moderate: 0, - }, - }, - muted: [], - }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, 'not json ') try { - expect(await audit({ - importers: {}, - lockfileVersion: LOCKFILE_VERSION, - }, - getAuthHeader, - { - lockfileDir: f.find('one-project'), - registry, - retry: { - retries: 0, - }, - virtualStoreDirMaxLength: 120, - })).toEqual({ - actions: [], - advisories: {}, - metadata: { - dependencies: 0, - devDependencies: 0, - optionalDependencies: 0, - totalDependencies: 0, - vulnerabilities: { - critical: 0, - high: 0, - info: 0, - low: 0, - moderate: 0, - }, - }, - muted: [], - }) + let err!: PnpmError + try { + await audit( + { importers: {}, lockfileVersion: LOCKFILE_VERSION }, + getAuthHeader, + { registry, retry: { retries: 0 } } + ) + } catch (_err: any) { // eslint-disable-line + err = _err + } + expect(err).toBeDefined() + expect(err.code).toBe('ERR_PNPM_AUDIT_BAD_RESPONSE') + expect(err.message).toMatch(/invalid JSON/) + } finally { + await teardownMockAgent() + } + }) + + test('throws AUDIT_BAD_RESPONSE if the registry returns a non-object body', async () => { + const registry = 'http://registry.registry/' + const getAuthHeader = () => undefined + await setupMockAgent() + getMockAgent().get('http://registry.registry') + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, []) + + try { + let err!: PnpmError + try { + await audit( + { importers: {}, lockfileVersion: LOCKFILE_VERSION }, + getAuthHeader, + { registry, retry: { retries: 0 } } + ) + } catch (_err: any) { // eslint-disable-line + err = _err + } + expect(err).toBeDefined() + expect(err.code).toBe('ERR_PNPM_AUDIT_BAD_RESPONSE') + expect(err.message).toMatch(/unexpected body/) } finally { await teardownMockAgent() } @@ -567,17 +387,17 @@ describe('audit', () => { // intercept will only match if the authorization header is present and correct getMockAgent().get('http://registry.registry') .intercept({ - path: '/-/npm/v1/security/audits/quick', + path: '/-/npm/v1/security/advisories/bulk', method: 'POST', headers: { authorization: 'Bearer test-token' }, }) - .reply(200, { actions: [], advisories: {}, metadata: { dependencies: 0, devDependencies: 0, optionalDependencies: 0, totalDependencies: 0, vulnerabilities: { critical: 0, high: 0, info: 0, low: 0, moderate: 0 } }, muted: [] }) + .reply(200, {}) try { const result = await audit( { importers: {}, lockfileVersion: LOCKFILE_VERSION }, getAuthHeader, - { lockfileDir: f.find('one-project'), registry, retry: { retries: 0 }, virtualStoreDirMaxLength: 120 } + { registry, retry: { retries: 0 } } ) expect(result.advisories).toEqual({}) } finally { @@ -585,27 +405,125 @@ describe('audit', () => { } }) + test('computes findings paths and severity counts locally when the bulk response omits findings', async () => { + const registry = 'http://registry.registry/' + const getAuthHeader = () => undefined + await setupMockAgent() + // Bare bulk response — no `findings`, no `patched_versions`, no `cves`, + // no `module_name`. Exactly what registry.npmjs.org returns today. + getMockAgent().get('http://registry.registry') + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, { + bar: [ + { + id: 42, + url: 'https://github.com/advisories/GHSA-xxxx-yyyy-zzzz', + title: 'bar is bad', + severity: 'high', + vulnerable_versions: '<2.0.0', + }, + ], + }) + + try { + const result = await audit( + { + importers: { + ['.' as ProjectId]: { + dependencies: { foo: '1.0.0' }, + specifiers: { foo: '^1.0.0' }, + }, + }, + lockfileVersion: LOCKFILE_VERSION, + packages: { + ['bar@1.0.0' as DepPath]: { resolution: { integrity: 'bar-integrity' } }, + ['foo@1.0.0' as DepPath]: { + dependencies: { bar: '1.0.0' }, + resolution: { integrity: 'foo-integrity' }, + }, + }, + }, + getAuthHeader, + { registry, retry: { retries: 0 } } + ) + const advisory = result.advisories['42'] + expect(advisory).toBeDefined() + expect(advisory.module_name).toBe('bar') + expect(advisory.github_advisory_id).toBe('GHSA-xxxx-yyyy-zzzz') + expect(advisory.patched_versions).toBe('>=2.0.0') + expect(advisory.findings).toHaveLength(1) + expect(advisory.findings[0].version).toBe('1.0.0') + expect(advisory.findings[0].paths).toEqual(['.>foo>bar']) + expect(result.metadata.vulnerabilities.high).toBe(1) + expect(result.metadata.totalDependencies).toBe(2) + } finally { + await teardownMockAgent() + } + }) + test('does not send authorization header when getAuthHeader returns undefined', async () => { const registry = 'http://registry.registry/' const getAuthHeader = () => undefined await setupMockAgent() let capturedHeaders: Record = {} getMockAgent().get('http://registry.registry') - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, (opts) => { capturedHeaders = opts.headers as Record - return { actions: [], advisories: {}, metadata: { dependencies: 0, devDependencies: 0, optionalDependencies: 0, totalDependencies: 0, vulnerabilities: { critical: 0, high: 0, info: 0, low: 0, moderate: 0 } }, muted: [] } + return {} }) try { await audit( { importers: {}, lockfileVersion: LOCKFILE_VERSION }, getAuthHeader, - { lockfileDir: f.find('one-project'), registry, retry: { retries: 0 }, virtualStoreDirMaxLength: 120 } + { registry, retry: { retries: 0 } } ) expect(capturedHeaders).not.toHaveProperty('authorization') } finally { await teardownMockAgent() } }) + + test('handles info severity in bulk response', async () => { + const registry = 'http://registry.registry/' + const getAuthHeader = () => undefined + await setupMockAgent() + getMockAgent().get('http://registry.registry') + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, { + info_pkg: [ + { + id: 100, + url: 'https://github.com/advisories/GHSA-info-info-info', + title: 'just some info', + severity: 'info', + vulnerable_versions: '*', + }, + ], + }) + + try { + const result = await audit( + { + importers: { + ['.' as ProjectId]: { + dependencies: { info_pkg: '1.0.0' }, + specifiers: { info_pkg: '1.0.0' }, + }, + }, + lockfileVersion: LOCKFILE_VERSION, + packages: { + ['info_pkg@1.0.0' as DepPath]: { resolution: { integrity: 'info-integrity' } }, + }, + }, + getAuthHeader, + { registry, retry: { retries: 0 } } + ) + expect(result.metadata.vulnerabilities.info).toBe(1) + expect(result.advisories['100'].severity).toBe('info') + } finally { + await teardownMockAgent() + } + }) }) diff --git a/deps/compliance/audit/tsconfig.json b/deps/compliance/audit/tsconfig.json index 5fa9a769e3..d22471f028 100644 --- a/deps/compliance/audit/tsconfig.json +++ b/deps/compliance/audit/tsconfig.json @@ -49,7 +49,7 @@ "path": "../../../testing/mock-agent" }, { - "path": "../../../workspace/project-manifest-reader" + "path": "../../path" } ] } diff --git a/deps/compliance/commands/src/audit/audit.ts b/deps/compliance/commands/src/audit/audit.ts index 79c141c7cf..16d6428961 100644 --- a/deps/compliance/commands/src/audit/audit.ts +++ b/deps/compliance/commands/src/audit/audit.ts @@ -1,7 +1,7 @@ import { docsUrl, TABLE_OPTIONS } from '@pnpm/cli.utils' import { type Config, type ConfigContext, types as allTypes, type UniversalOptions } from '@pnpm/config.reader' import { WANTED_LOCKFILE } from '@pnpm/constants' -import { audit, type AuditAdvisory, type AuditLevelNumber, type AuditLevelString, type AuditReport, type AuditVulnerabilityCounts, type IgnoredAuditVulnerabilityCounts } from '@pnpm/deps.compliance.audit' +import { audit, type AuditAdvisory, type AuditLevelNumber, type AuditLevelString, type AuditReport, type AuditVulnerabilityCounts, type IgnoredAuditVulnerabilityCounts, normalizeGhsaId } from '@pnpm/deps.compliance.audit' import { PnpmError } from '@pnpm/error' import { type InstallCommandOptions, update } from '@pnpm/installing.commands' import { readEnvLockfile, readWantedLockfile } from '@pnpm/lockfile.fs' @@ -9,7 +9,7 @@ import { createGetAuthHeaderByURI } from '@pnpm/network.auth-header' import type { Registries } from '@pnpm/types' import { table } from '@zkochan/table' import chalk, { type ChalkInstance } from 'chalk' -import { difference, pick, pickBy } from 'ramda' +import { pick, pickBy } from 'ramda' import { renderHelp } from 'render-help' import { fix } from './fix.js' @@ -17,13 +17,15 @@ import { fixWithUpdate, type FixWithUpdateResult } from './fixWithUpdate.js' import { ignore } from './ignore.js' const AUDIT_LEVEL_NUMBER = { - low: 0, - moderate: 1, - high: 2, - critical: 3, + info: 0, + low: 1, + moderate: 2, + high: 3, + critical: 4, } satisfies Record const AUDIT_COLOR = { + info: chalk.dim, low: chalk.bold, moderate: chalk.bold.yellow, high: chalk.bold.red, @@ -53,7 +55,7 @@ export function rcOptionsTypes (): Record { 'production', 'registry', ], allTypes), - 'audit-level': ['low', 'moderate', 'high', 'critical'], + 'audit-level': ['info', 'low', 'moderate', 'high', 'critical'], // For fix, use String instead of a list of allowed string values. // Otherwise, an unexpected value will get coerced to true because of the Boolean type. fix: [String, Boolean], @@ -99,7 +101,7 @@ export function help (): string { name: '--json', }, { - description: 'Only print advisories with severity greater than or equal to one of the following: low|moderate|high|critical. Default: low', + description: 'Only print advisories with severity greater than or equal to one of the following: info|low|moderate|high|critical. Default: low', name: '--audit-level ', }, { @@ -121,11 +123,11 @@ export function help (): string { name: '--ignore-registry-errors', }, { - description: 'Ignore a vulnerability by CVE', + description: 'Ignore a vulnerability by its GitHub advisory ID (e.g. GHSA-xxxx-xxxx-xxxx)', name: '--ignore ', }, { - description: 'Ignore all CVEs with no resolution', + description: 'Ignore all vulnerabilities for which no fix exists', name: '--ignore-unfixable', }, ], @@ -205,7 +207,6 @@ export async function handler (opts: AuditOptions): Promise<{ exitCode: number, }, envLockfile, include, - lockfileDir, registry: opts.registries.default, retry: { factor: opts.fetchRetryFactor, @@ -214,7 +215,6 @@ export async function handler (opts: AuditOptions): Promise<{ exitCode: number, retries: opts.fetchRetries, }, timeout: opts.fetchTimeout, - virtualStoreDirMaxLength: opts.virtualStoreDirMaxLength, }) } catch (err: any) { // eslint-disable-line if (opts.ignoreRegistryErrors) { @@ -293,6 +293,7 @@ ${newIgnores.join('\n')}`, } const vulnerabilities = auditReport.metadata.vulnerabilities const ignoredVulnerabilities: IgnoredAuditVulnerabilityCounts = { + info: 0, low: 0, moderate: 0, high: 0, @@ -301,19 +302,12 @@ ${newIgnores.join('\n')}`, const totalVulnerabilityCount = Object.values(vulnerabilities) .reduce((sum: number, vulnerabilitiesCount: number) => sum + vulnerabilitiesCount, 0) const ignoreGhsas = opts.auditConfig?.ignoreGhsas - if (ignoreGhsas) { + if (ignoreGhsas?.length) { + // Compare GHSA ids after normalizing so stored entries with varying + // casing still match the canonical form on the advisory. + const ignoreSet = new Set(ignoreGhsas.map(normalizeGhsaId)) auditReport.advisories = pickBy(({ github_advisory_id: githubAdvisoryId, severity }) => { - if (!ignoreGhsas.includes(githubAdvisoryId)) { - return true - } - ignoredVulnerabilities[severity as AuditLevelString] += 1 - return false - }, auditReport.advisories) - } - const ignoreCves = opts.auditConfig?.ignoreCves - if (ignoreCves) { - auditReport.advisories = pickBy(({ cves, severity }) => { - if (cves.length === 0 || difference(cves, ignoreCves).length > 0) { + if (!ignoreSet.has(normalizeGhsaId(githubAdvisoryId))) { return true } ignoredVulnerabilities[severity as AuditLevelString] += 1 @@ -339,7 +333,7 @@ ${newIgnores.join('\n')}`, [AUDIT_COLOR[advisory.severity](advisory.severity), chalk.bold(advisory.title)], ['Package', advisory.module_name], ['Vulnerable versions', advisory.vulnerable_versions], - ['Patched versions', advisory.patched_versions], + ['Patched versions', advisory.patched_versions ?? '(unknown)'], [ 'Paths', (paths.length > MAX_PATHS_COUNT diff --git a/deps/compliance/commands/src/audit/fix.ts b/deps/compliance/commands/src/audit/fix.ts index 5aabe5706c..07cc13a1af 100644 --- a/deps/compliance/commands/src/audit/fix.ts +++ b/deps/compliance/commands/src/audit/fix.ts @@ -1,6 +1,5 @@ import { writeSettings } from '@pnpm/config.writer' -import type { AuditAdvisory, AuditReport } from '@pnpm/deps.compliance.audit' -import { difference } from 'ramda' +import { type AuditAdvisory, type AuditReport, normalizeGhsaId } from '@pnpm/deps.compliance.audit' import semver from 'semver' import type { AuditOptions } from './audit.js' @@ -11,7 +10,7 @@ export interface FixResult { } export async function fix (auditReport: AuditReport, opts: AuditOptions): Promise { - const fixableAdvisories = getFixableAdvisories(Object.values(auditReport.advisories), opts.auditConfig?.ignoreCves) + const fixableAdvisories = getFixableAdvisories(Object.values(auditReport.advisories), opts.auditConfig?.ignoreGhsas) const vulnOverrides = createOverrides(fixableAdvisories) if (Object.values(vulnOverrides).length === 0) return { vulnOverrides, addedAgeExcludes: [] } const addedAgeExcludes = opts.minimumReleaseAge ? createMinimumReleaseAgeExcludes(fixableAdvisories) : [] @@ -25,29 +24,33 @@ export async function fix (auditReport: AuditReport, opts: AuditOptions): Promis return { vulnOverrides, addedAgeExcludes } } -function getFixableAdvisories (advisories: AuditAdvisory[], ignoreCves?: string[]): AuditAdvisory[] { - if (ignoreCves) { - advisories = advisories.filter(({ cves }) => difference(cves, ignoreCves).length > 0) +function getFixableAdvisories (advisories: AuditAdvisory[], ignoreGhsas?: string[]): AuditAdvisory[] { + if (ignoreGhsas) { + // Normalize on both sides so ignore entries match regardless of casing. + const ignored = new Set(ignoreGhsas.map(normalizeGhsaId)) + advisories = advisories.filter(({ github_advisory_id: ghsaId }) => !ghsaId || !ignored.has(normalizeGhsaId(ghsaId))) } - return advisories - .filter(({ vulnerable_versions: vulnerableVersions, patched_versions: patchedVersions }) => vulnerableVersions !== '>=0.0.0' && patchedVersions !== '<0.0.0') + // Only advisories with a known patched range can produce an override. + // patched_versions is undefined when the range couldn't be inferred from + // vulnerable_versions — no override is possible in that case. + return advisories.filter(({ patched_versions: patchedVersions }) => patchedVersions != null) } function createOverrides (advisories: AuditAdvisory[]): Record { - return Object.fromEntries( - advisories.map((advisory) => [ - `${advisory.module_name}@${advisory.vulnerable_versions}`, - advisory.patched_versions, - ]) - ) + const entries: Array<[string, string]> = [] + for (const advisory of advisories) { + if (!advisory.patched_versions) continue + entries.push([`${advisory.module_name}@${advisory.vulnerable_versions}`, advisory.patched_versions]) + } + return Object.fromEntries(entries) } export function createMinimumReleaseAgeExcludes (advisories: AuditAdvisory[]): string[] { const excludes = new Set() for (const advisory of advisories) { - if (advisory.patched_versions === '<0.0.0') continue - if (advisory.vulnerable_versions === '>=0.0.0' || advisory.vulnerable_versions === '*') continue - const minVersion = semver.minVersion(advisory.patched_versions) + const patchedVersions = advisory.patched_versions + if (!patchedVersions) continue + const minVersion = semver.minVersion(patchedVersions) if (minVersion) { excludes.add(`${advisory.module_name}@${minVersion.version}`) } diff --git a/deps/compliance/commands/src/audit/ignore.ts b/deps/compliance/commands/src/audit/ignore.ts index a3dfa62127..57b1192400 100644 --- a/deps/compliance/commands/src/audit/ignore.ts +++ b/deps/compliance/commands/src/audit/ignore.ts @@ -1,5 +1,6 @@ import { writeSettings } from '@pnpm/config.writer' -import type { AuditAdvisory, AuditReport } from '@pnpm/deps.compliance.audit' +import { type AuditAdvisory, type AuditReport, normalizeGhsaId } from '@pnpm/deps.compliance.audit' +import { PnpmError } from '@pnpm/error' import type { AuditConfig, ProjectManifest } from '@pnpm/types' import { difference } from 'ramda' @@ -15,32 +16,46 @@ export interface IgnoreVulnerabilitiesOptions { } export async function ignore (opts: IgnoreVulnerabilitiesOptions): Promise { - const currentCves = opts?.auditConfig?.ignoreCves ?? [] - const currentUniqueCves = new Set(currentCves) - const advisoryWthNoResolutions = filterAdvisoriesWithNoResolutions(Object.values(opts.auditReport.advisories)) + // GHSA IDs are canonically uppercase; normalize on read/write so a stored + // "ghsa-..." or uppercase user input both match the derived id at filter + // time. + const currentGhsas = (opts?.auditConfig?.ignoreGhsas ?? []).map(normalizeGhsaId) + const currentUniqueGhsas = new Set(currentGhsas) + const advisoriesWithNoResolutions = filterAdvisoriesWithNoResolutions(Object.values(opts.auditReport.advisories)) if (opts.ignoreUnfixable) { - Object.values(advisoryWthNoResolutions).forEach((advisory: AuditAdvisory) => { - advisory.cves.forEach((cve) => currentUniqueCves.add(cve)) - }) - } else { - opts.ignore?.forEach((cve) => currentUniqueCves.add(cve)) + for (const advisory of advisoriesWithNoResolutions) { + if (!advisory.github_advisory_id) { + throw new PnpmError( + 'AUDIT_MISSING_GHSA', + `Cannot ignore advisory ${advisory.id} (${advisory.module_name}): the registry did not provide a GHSA id or a resolvable url.` + ) + } + currentUniqueGhsas.add(normalizeGhsaId(advisory.github_advisory_id)) + } + } else if (opts.ignore) { + for (const ghsa of opts.ignore) { + currentUniqueGhsas.add(normalizeGhsaId(ghsa)) + } } - const newIgnoreCves = currentUniqueCves.size > 0 ? Array.from(currentUniqueCves) : undefined - const diffCve = difference(newIgnoreCves ?? [], currentCves) + const newIgnoreGhsas = currentUniqueGhsas.size > 0 ? Array.from(currentUniqueGhsas) : undefined + const diffGhsas = difference(newIgnoreGhsas ?? [], currentGhsas) await writeSettings({ ...opts, updatedSettings: { auditConfig: { ...opts.auditConfig, - ignoreCves: newIgnoreCves, + ignoreGhsas: newIgnoreGhsas, }, }, }) - return [...diffCve] + return [...diffGhsas] } -function filterAdvisoriesWithNoResolutions (advisories: AuditAdvisory[]) { - return advisories.filter(({ patched_versions: patchedVersions }) => patchedVersions === '<0.0.0') +// Advisories for which no override can be produced — patched_versions is +// undefined when pnpm couldn't infer a patched range from vulnerable_versions. +// That is the only "no fix available" signal the bulk endpoint provides. +function filterAdvisoriesWithNoResolutions (advisories: AuditAdvisory[]): AuditAdvisory[] { + return advisories.filter(({ patched_versions: patchedVersions }) => patchedVersions == null) } diff --git a/deps/compliance/commands/test/audit/__snapshots__/index.ts.snap b/deps/compliance/commands/test/audit/__snapshots__/index.ts.snap index a470474574..bb208506f8 100644 --- a/deps/compliance/commands/test/audit/__snapshots__/index.ts.snap +++ b/deps/compliance/commands/test/audit/__snapshots__/index.ts.snap @@ -2,20 +2,6 @@ exports[`plugin-commands-audit audit --audit-level 1`] = ` "┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ -│ │ client>xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ │ critical │ Command injection in nodemailer │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ nodemailer │ @@ -29,19 +15,6 @@ exports[`plugin-commands-audit audit --audit-level 1`] = ` │ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Insufficient Entropy in cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rq8g-5pc5-wrhr │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ │ critical │ Improper parsing of octal bytes in netmask │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ netmask │ @@ -56,91 +29,34 @@ exports[`plugin-commands-audit audit --audit-level 1`] = ` │ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Incorrect Comparison in axios │ +│ critical │ Malware in fsevents │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ +│ Package │ fsevents │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.21.1 │ +│ Vulnerable versions │ >=1.0.0 <1.2.11 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.21.2 │ +│ Patched versions │ >=1.2.11 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ +│ Paths │ .>karma>chokidar>fsevents │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +│ More info │ https://github.com/advisories/GHSA-xv2f-5jw4-v95m │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite on Windows via │ -│ │ insufficient relative path sanitization │ +│ critical │ Code injection in fsevents │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ +│ Package │ fsevents │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ +│ Vulnerable versions │ <=1.2.10 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ +│ Patched versions │ >=1.2.11 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +│ Paths │ .>karma>chokidar>fsevents │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ +│ More info │ https://github.com/advisories/GHSA-8r6j-v8pm-fqw3 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Code Injection in pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <3.3.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=3.3.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Injection │ +│ critical │ xmlhttprequest and xmlhttprequest-ssl vulnerable to │ +│ │ Arbitrary Code Injection │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ xmlhttprequest-ssl │ ├─────────────────────┼────────────────────────────────────────────────────────┤ @@ -154,472 +70,6 @@ exports[`plugin-commands-audit audit --audit-level 1`] = ` │ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Execution in underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=1.3.2 <1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ -│ │ transport>smtp-connection>httpntlm>underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Path traversal in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Server-Side Request Forgery in Axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Remote Memory Exposure in bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Denial of Service in http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Validation Bypass in kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=6.0.0 <6.0.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.0.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>anymatch>micromatch>kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Denial of Service in axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.18.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Exposure of sensitive information in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ -│ │ │ -│ │ .>karma>http-proxy>follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Regular expression denial of service │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ glob-parent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>glob-parent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Command Injection in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Prototype Pollution in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.19 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.19 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Authorization bypass in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.6 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.6 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in node-jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>har-validator>is-my- │ -│ │ json-valid>jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Open redirect in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ netmask npm package vulnerable to octal input data │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.0.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.0.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Insecure defaults due to CORS misconfiguration in │ -│ │ socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Tmp files readable by other users in sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ <0.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in minimist │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ minimist │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist │ -│ │ │ -│ │ .>karma>optimist>minimist │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Memory Exposure in tunnel-agent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tunnel-agent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.6.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.6.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>tunnel-agent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ json-schema is vulnerable to Prototype Pollution │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ json-schema │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>hipchat-notifier>request>http- │ -│ │ signature>jsprim>json-schema │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Header injection in nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Incorrect Default Permissions in log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Cross-site Scripting in karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.3.14 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.3.14 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in Ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.12.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.12.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ -│ │ validator>ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Exposure of Sensitive Information to an Unauthorized │ -│ │ Actor in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ -│ │ │ -│ │ .>karma>http-proxy>follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -46 vulnerabilities found -Severity: 4 low | 17 moderate | 21 high | 4 critical" -`; - -exports[`plugin-commands-audit audit --dev 1`] = ` -"┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Incorrect Comparison in axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.21.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Server-Side Request Forgery in Axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Denial of Service in axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.18.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Exposure of sensitive information in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Tmp files readable by other users in sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ <0.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Exposure of Sensitive Information to an Unauthorized │ -│ │ Actor in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -6 vulnerabilities found -Severity: 2 moderate | 4 high" -`; - -exports[`plugin-commands-audit audit 1`] = ` -"┌─────────────────────┬────────────────────────────────────────────────────────┐ │ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ xmlhttprequest-ssl │ @@ -634,426 +84,71 @@ exports[`plugin-commands-audit audit 1`] = ` │ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Command injection in nodemailer │ +│ critical │ Authorization Bypass Through User-Controlled Key in │ +│ │ url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ nodemailer │ +│ Package │ url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.16 │ +│ Vulnerable versions │ <1.5.8 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.16 │ +│ Patched versions │ >=1.5.8 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer │ +│ Paths │ .>karma>log4js>amqplib>url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ +│ More info │ https://github.com/advisories/GHSA-hgjh-723h-mx2j │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Insufficient Entropy in cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rq8g-5pc5-wrhr │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Improper parsing of octal bytes in netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.1.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.1.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Incorrect Comparison in axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.21.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite on Windows via │ -│ │ insufficient relative path sanitization │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Code Injection in pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in socket.io-parser │ +│ critical │ Insufficient validation when decoding a Socket.IO │ +│ │ packet │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ socket.io-parser │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <3.3.2 │ +│ Vulnerable versions │ <3.3.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=3.3.2 │ +│ Patched versions │ >=3.3.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Injection │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ -│ │ client>xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Execution in underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=1.3.2 <1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ -│ │ transport>smtp-connection>httpntlm>underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Path traversal in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Server-Side Request Forgery in Axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.21.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Remote Memory Exposure in bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Denial of Service in http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Validation Bypass in kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=6.0.0 <6.0.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.0.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>anymatch>micromatch>kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Denial of Service in axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.18.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Exposure of sensitive information in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ │ │ │ -│ │ .>karma>http-proxy>follow-redirects │ +│ │ .>karma>socket.io>socket.io-parser │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +│ More info │ https://github.com/advisories/GHSA-qm95-pgcg-qqfq │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Regular expression denial of service │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ glob-parent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>glob-parent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Command Injection in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Prototype Pollution in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.19 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.19 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Authorization bypass in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.6 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.6 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in node-jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>har-validator>is-my- │ -│ │ json-valid>jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Open redirect in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ netmask npm package vulnerable to octal input data │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.0.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.0.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Insecure defaults due to CORS misconfiguration in │ -│ │ socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Tmp files readable by other users in sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ <0.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in minimist │ +│ critical │ Prototype Pollution in minimist │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.2.1 │ +│ Vulnerable versions │ <0.2.4 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.2.1 │ +│ Patched versions │ >=0.2.4 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist │ │ │ │ -│ │ .>karma>optimist>minimist │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>tar>mkdirp>minimist │ +│ │ │ +│ │ .>karma>log4js>streamroller>mkdirp>minimist │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why minimist\` for more │ +│ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m │ +│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Memory Exposure in tunnel-agent │ +│ critical │ Prototype Pollution in minimist │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tunnel-agent │ +│ Package │ minimist │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.6.0 │ +│ Vulnerable versions │ >=1.0.0 <1.2.6 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.6.0 │ +│ Patched versions │ >=1.2.6 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>tunnel-agent │ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>rc>minimist │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ +│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ json-schema is vulnerable to Prototype Pollution │ +│ critical │ json-schema is vulnerable to Prototype Pollution │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ json-schema │ ├─────────────────────┼────────────────────────────────────────────────────────┤ @@ -1063,93 +158,94 @@ exports[`plugin-commands-audit audit 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ .>karma>log4js>hipchat-notifier>request>http- │ │ │ signature>jsprim>json-schema │ +│ │ │ +│ │ .>karma>log4js>loggly>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why json-schema\` for more │ +│ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Header injection in nodemailer │ +│ critical │ form-data uses unsafe random function in form-data for │ +│ │ choosing boundary │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ nodemailer │ +│ Package │ form-data │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.6.1 │ +│ Vulnerable versions │ <2.5.4 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.6.1 │ +│ Patched versions │ >=2.5.4 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Incorrect Default Permissions in log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Cross-site Scripting in karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.3.14 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.3.14 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in Ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.12.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.12.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ -│ │ validator>ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Exposure of Sensitive Information to an Unauthorized │ -│ │ Actor in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ +│ Paths │ .>karma>log4js>hipchat-notifier>request>form-data │ │ │ │ -│ │ .>karma>http-proxy>follow-redirects │ +│ │ .>karma>log4js>mailgun-js>form-data │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>form- │ +│ │ data │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why form-data\` for more │ +│ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ +│ More info │ https://github.com/advisories/GHSA-fjxv-7rqg-78g4 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ low │ Potential exponential regex in monitor mode │ +│ critical │ Arbitrary Code Execution in underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.3.2 <1.12.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.12.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp- │ +│ │ connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has a NO_PROXY Hostname Normalization Bypass │ +│ │ Leads to SSRF │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3p68-rc4w-qgx5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has Unrestricted Cloud Metadata Exfiltration via │ +│ │ Header Injection Chain │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fvcv-3m26-pcqx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Node-Redis potential exponential regex in monitor mode │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ redis │ ├─────────────────────┼────────────────────────────────────────────────────────┤ @@ -1162,102 +258,151 @@ exports[`plugin-commands-audit audit 1`] = ` │ More info │ https://github.com/advisories/GHSA-35q2-47q7-3pc3 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ low │ Regular Expression Denial of Service in timespan │ +│ high │ Resource exhaustion in socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ degenerator │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>degenerator │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Cookie exposure in requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>slack-node>requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hjp8-2cm3-cc45 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Denial of Service in axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.18.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Regular Expression Denial of Service in timespan │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ timespan │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ <=2.3.0 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ <0.0.0 │ +│ Patched versions │ >=2.3.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ .>karma>log4js>loggly>timespan │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-f523-2f5j-gfcg │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ low │ Regular Expression Denial of Service in braces │ +│ high │ decode-uri-component vulnerable to Denial of Service │ +│ │ (DoS) │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ braces │ +│ Package │ decode-uri-component │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.3.1 │ +│ Vulnerable versions │ <0.2.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.3.1 │ +│ Patched versions │ >=0.2.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>expand-braces>braces │ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >source-map-resolve>decode-uri-component │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>extglob>expand- │ +│ │ brackets>snapdragon>source-map-resolve>decode-uri- │ +│ │ component │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>extglob>snapdrago │ +│ │ n>source-map-resolve>decode-uri-component │ +│ │ │ +│ │ ... Found 11 paths, run \`pnpm why │ +│ │ decode-uri-component\` for more information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-g95f-p29q-9xw4 │ +│ More info │ https://github.com/advisories/GHSA-w573-4hg7-7wgq │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ low │ Regular Expression Denial of Service (ReDoS) in braces │ +│ high │ Validation Bypass in kind-of │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ braces │ +│ Package │ kind-of │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.3.1 │ +│ Vulnerable versions │ >=6.0.0 <6.0.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.3.1 │ +│ Patched versions │ >=6.0.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>expand-braces>braces │ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>is-accessor- │ +│ │ descriptor>kind-of │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>is-data- │ +│ │ descriptor>kind-of │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>kind-of │ +│ │ │ +│ │ ... Found 97 paths, run \`pnpm why kind-of\` for more │ +│ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cwfw-4gq5-mrqx │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -46 vulnerabilities found -Severity: 4 low | 17 moderate | 21 high | 4 critical" -`; - -exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` -"┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ -│ │ client>xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ +│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Command injection in nodemailer │ +│ high │ Uncontrolled Resource Consumption in Hawk │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ nodemailer │ +│ Package │ hawk │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.16 │ +│ Vulnerable versions │ <9.0.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.16 │ +│ Patched versions │ >=9.0.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer │ +│ Paths │ .>karma>log4js>loggly>request>hawk │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Insufficient Entropy in cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rq8g-5pc5-wrhr │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Improper parsing of octal bytes in netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.1.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.1.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ +│ More info │ https://github.com/advisories/GHSA-44pw-h2cw-w3vq │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ high │ Arbitrary File Creation/Overwrite on Windows via │ @@ -1274,117 +419,6 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Code Injection in pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <3.3.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=3.3.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Injection │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ -│ │ client>xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Execution in underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=1.3.2 <1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ -│ │ transport>smtp-connection>httpntlm>underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Path traversal in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Remote Memory Exposure in bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ │ high │ Denial of Service in http-proxy │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ http-proxy │ @@ -1398,17 +432,142 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Validation Bypass in kind-of │ +│ high │ Arbitrary File Creation/Overwrite via insufficient │ +│ │ symlink protection due to directory cache poisoning │ +│ │ using symbolic links │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ kind-of │ +│ Package │ tar │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=6.0.0 <6.0.3 │ +│ Vulnerable versions │ >=3.0.0 <4.4.16 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.0.3 │ +│ Patched versions │ >=4.4.16 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>anymatch>micromatch>kind-of │ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ +│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient │ +│ │ symlink protection due to directory cache poisoning │ +│ │ using symbolic links │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.0.0 <4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch ReDoS vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f8q6-p94x-37v3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.0.0 <2.6.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.6.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fwr7-v2mv-hh25 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Uncontrolled resource consumption in braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces │ +│ │ │ +│ │ .>karma>chokidar>braces │ +│ │ │ +│ │ .>karma>chokidar>readdirp>micromatch>braces │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why braces\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-grv7-fg5c-xmjg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ ws affected by a DoS when handling a request with many │ +│ │ HTTP headers │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ws │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.1.0 <5.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io>ws │ +│ │ │ +│ │ .>karma>socket.io>socket.io-client>engine.io-client>ws │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3h5v-q93c-6h6q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ body-parser vulnerable to denial of service when url │ +│ │ encoding is enabled │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ body-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.20.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.20.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ ip SSRF improper categorization in isPublic │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ip │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>socks-proxy-agent>socks>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>socks-proxy- │ +│ │ agent>socks>ip │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why ip\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-2p57-rm9w-gvfp │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ high │ Exposure of sensitive information in follow-redirects │ @@ -1419,24 +578,126 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=1.14.7 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ +│ Paths │ .>karma>http-proxy>follow-redirects │ │ │ │ -│ │ .>karma>http-proxy>follow-redirects │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Regular expression denial of service │ +│ high │ axios Inefficient Regular Expression Complexity │ +│ │ vulnerability │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ glob-parent │ +│ Package │ axios │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.1.2 │ +│ Vulnerable versions │ <0.21.2 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.1.2 │ +│ Patched versions │ >=0.21.2 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>glob-parent │ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ +│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.5.0 <6.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>qs │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>qs │ +│ │ │ +│ │ .>karma>useragent>request>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.7.0 <6.7.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.7.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ hoek subject to prototype pollution via the clone │ +│ │ function. │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=6.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>hoek │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why hoek\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c429-5p7v-vgjp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>hoek │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why hoek\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ high │ Command Injection in lodash │ @@ -1447,7 +708,14 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=4.17.21 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ └─────────────────────┴────────────────────────────────────────────────────────┘ @@ -1456,39 +724,649 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.19 │ +│ Vulnerable versions │ >=3.7.0 <4.17.19 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=4.17.19 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in engine.io │ +│ high │ axios Requests Vulnerable To Possible SSRF and │ +│ │ Credential Leakage via Absolute URL │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jr5f-v2jv-69x6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar Vulnerable to Arbitrary File │ +│ │ Creation/Overwrite via Hardlink Path Traversal │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-34x7-hfp2-rc4v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ semver vulnerable to Regular Expression Denial of │ +│ │ Service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ semver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.0.0-alpha <5.7.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.7.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>semver │ +│ │ │ +│ │ .>karma>log4js>semver │ +│ │ │ +│ │ .>karma>useragent>semver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Nodemailer’s addressparser is vulnerable to DoS caused │ +│ │ by recursive calls │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.0.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rcmh-qjqh-p98v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Axios is Vulnerable to Denial of Service via __proto__ │ +│ │ Key in mergeConfig │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.30.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-43fc-jf86-j433 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar is Vulnerable to Arbitrary File Overwrite and │ +│ │ Symlink Poisoning via Insufficient Path Sanitization │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8qq5-rm4j-mr97 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Read/Write via Hardlink Target Escape │ +│ │ Through Symlink Chain in node-tar Extraction │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-83g3-92jg-28cx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch has a ReDoS via repeated wildcards with │ +│ │ non-matching literal in pattern │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3ppc-4f35-3m26 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch has ReDoS: matchOne() combinatorial │ +│ │ backtracking via multiple non-adjacent GLOBSTAR │ +│ │ segments │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7r86-cg39-jmmj │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch ReDoS: nested *() extglobs generate │ +│ │ catastrophically backtracking regular expressions │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-23c5-xmqv-rm74 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Underscore has unlimited recursion in _.flatten and │ +│ │ _.isEqual, potential for DoS attack │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.13.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.13.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp- │ +│ │ connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qpx9-hpmf-5gmw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ tar has Hardlink Path Traversal via Drive-Relative │ +│ │ Linkpath │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qffp-2rhf-9h96 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar Symlink Path Traversal via Drive-Relative │ +│ │ Linkpath │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9ppj-qmqm-q256 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Race Condition in node-tar Path Reservations via │ +│ │ Unicode Ligature Collisions on macOS APFS │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r6q2-hw4h-h46w │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ socket.io allows an unbounded number of binary │ +│ │ attachments │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-677m-j7p3-52f9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ lodash vulnerable to Code Injection via \`_.template\` │ +│ │ imports key names │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.24 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r5fr-rjxr-66jc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Memory Exposure in tunnel-agent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tunnel-agent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>tunnel-agent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Uncaught exception in engine.io │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ engine.io │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.0.0 │ +│ Vulnerable versions │ <3.6.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.0.0 │ +│ Patched versions │ >=3.6.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ .>karma>socket.io>engine.io │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ +│ More info │ https://github.com/advisories/GHSA-r7qp-cfhv-p84w │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Authorization bypass in url-parse │ +│ moderate │ Header injection in nodemailer │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ +│ Package │ nodemailer │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.6 │ +│ Vulnerable versions │ <6.6.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.6 │ +│ Patched versions │ >=6.6.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ +│ Paths │ .>karma>log4js>nodemailer │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ +│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Axios vulnerable to Server-Side Request Forgery │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Remote Memory Exposure in bl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ bl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>bl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Open redirect in karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rc3x-jf5g-xvc5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Cross-site Scripting in karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.14 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.14 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Exposure of Sensitive Information to an Unauthorized │ +│ │ Actor in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Tmp files readable by other users in sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ netmask npm package mishandles octal input data │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ CORS misconfiguration in socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Incorrect Default Permissions in log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>tar>mkdirp>minimist │ +│ │ │ +│ │ .>karma>log4js>streamroller>mkdirp>minimist │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why minimist\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Server-Side Request Forgery in Request │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ request │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.88.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.88.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request │ +│ │ │ +│ │ .>karma>useragent>request │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why request\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects' Proxy-Authorization header kept │ +│ │ across hosts │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cxjh-pqwp-8mfp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Denial of service while parsing a tar file due to lack │ +│ │ of folders count validation │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f5x3-32g6-xq36 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Axios Cross-Site Request Forgery Vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.8.1 <0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ tough-cookie Prototype Pollution vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tough-cookie │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>tough-cookie │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>tough- │ +│ │ cookie │ +│ │ │ +│ │ .>karma>useragent>request>tough-cookie │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why tough-cookie\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in Ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.12.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.12.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>useragent>request>har-validator>ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in │ +│ │ micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.0.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.0.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch │ +│ │ │ +│ │ .>karma>chokidar>readdirp>micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-952p-6rrq-rcjv │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Insufficient validation when decoding a Socket.IO │ +│ │ packet │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cqmj-92xf-r6r9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ socket.io has an unhandled 'error' event │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-25hc-qcg6-38wj │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ word-wrap vulnerable to Regular Expression Denial of │ +│ │ Service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ word-wrap │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac- │ +│ │ resolver>degenerator>escodegen>optionator>word-wrap │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j8xg-fqg3-53r7 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Prototype Pollution in node-jsonpointer │ @@ -1505,11 +1383,128 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ parse-uri Regular expression Denial of Service (ReDoS) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ parseuri │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>parseuri │ +│ │ │ +│ │ .>karma>socket.io>socket.io-client>parseuri │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6fx8-h7jm-663j │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ useragent Regular Expression Denial of Service │ +│ │ vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ useragent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.3.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>useragent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-mgfv-m47x-4wqp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ nodemailer ReDoS when trying to send a specially │ +│ │ crafted email │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=6.9.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.9.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9h6g-pr28-7cqp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Follow Redirects improperly handles URLs in the │ +│ │ url.parse() function │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jchw-25xp-jwwc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Nodemailer: Email to an unintended domain can occur │ +│ │ due to Interpretation Conflict │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.0.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-mm7p-fcc7-pg87 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Lodash has Prototype Pollution Vulnerability in │ +│ │ \`_.unset\` and \`_.omit\` functions │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <=4.17.22 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xxjr-mmjv-4gpg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Open redirect in url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.2 │ +│ Vulnerable versions │ >=0.1.0 <1.5.2 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=1.5.2 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ @@ -1518,32 +1513,301 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ netmask npm package vulnerable to octal input data │ +│ moderate │ Path traversal in url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ +│ Package │ url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.0.1 │ +│ Vulnerable versions │ >=0.1.0 <1.5.0 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.0.1 │ +│ Patched versions │ >=1.5.0 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ +│ Paths │ .>karma>log4js>amqplib>url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ +│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Insecure defaults due to CORS misconfiguration in │ -│ │ socket.io │ +│ moderate │ url-parse incorrectly parses hostname / protocol due │ +│ │ to unstripped leading control characters. │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io │ +│ Package │ url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.4.0 │ +│ Vulnerable versions │ >=0.1.0 <1.5.9 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.4.0 │ +│ Patched versions │ >=1.5.9 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io │ +│ Paths │ .>karma>log4js>amqplib>url-parse │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ +│ More info │ https://github.com/advisories/GHSA-jf5r-8hm2-f872 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ url-parse Incorrectly parses URLs that include an '@' │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8v38-pw62-9cw2 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Authorization bypass in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ ajv has ReDoS when using \`$data\` option │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.14.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>useragent>request>har-validator>ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ qs's arrayLimit bypass in its bracket notation allows │ +│ │ DoS via memory exhaustion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>request>qs │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>qs │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why qs\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6rw7-vpxm-498p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ brace-expansion: Zero-step sequence causes process │ +│ │ hang and memory exhaustion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ brace-expansion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.13 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.13 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>glob>minimatch>brace-expansion │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why brace-expansion\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f886-m6hf-6m8v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ lodash vulnerable to Prototype Pollution via array │ +│ │ path bypass in \`_.unset\` and \`_.omit\` │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.24 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f23m-r3pf-42rh │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Nodemailer Vulnerable to SMTP Command Injection via │ +│ │ CRLF in Transport name Option (EHLO/HELO) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=8.0.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=8.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vvjj-xcjg-gr5g │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects leaks Custom Authentication Headers │ +│ │ to Cross-Domain Redirect Targets │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.12 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r4q5-vmmm-2653 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +111 vulnerabilities found +Severity: 8 low | 42 moderate | 46 high | 15 critical" +`; + +exports[`plugin-commands-audit audit --dev 1`] = ` +"┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has a NO_PROXY Hostname Normalization Bypass │ +│ │ Leads to SSRF │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3p68-rc4w-qgx5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has Unrestricted Cloud Metadata Exfiltration via │ +│ │ Header Injection Chain │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fvcv-3m26-pcqx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Denial of Service in axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.18.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Exposure of sensitive information in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ axios Inefficient Regular Expression Complexity │ +│ │ vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ axios Requests Vulnerable To Possible SSRF and │ +│ │ Credential Leakage via Absolute URL │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jr5f-v2jv-69x6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Axios is Vulnerable to Denial of Service via __proto__ │ +│ │ Key in mergeConfig │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.30.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-43fc-jf86-j433 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Axios vulnerable to Server-Side Request Forgery │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Exposure of Sensitive Information to an Unauthorized │ +│ │ Actor in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Tmp files readable by other users in sync-exec │ @@ -1552,13 +1816,1087 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ <=0.6.2 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ <0.0.0 │ +│ Patched versions │ >=0.6.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ .>sync-exec │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects' Proxy-Authorization header kept │ +│ │ across hosts │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cxjh-pqwp-8mfp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Axios Cross-Site Request Forgery Vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.8.1 <0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Follow Redirects improperly handles URLs in the │ +│ │ url.parse() function │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jchw-25xp-jwwc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects leaks Custom Authentication Headers │ +│ │ to Cross-Domain Redirect Targets │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.12 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r4q5-vmmm-2653 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +14 vulnerabilities found +Severity: 7 moderate | 5 high | 2 critical" +`; + +exports[`plugin-commands-audit audit 1`] = ` +"┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Command injection in nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Improper parsing of octal bytes in netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Malware in fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.2.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xv2f-5jw4-v95m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Code injection in fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.2.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8r6j-v8pm-fqw3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ xmlhttprequest and xmlhttprequest-ssl vulnerable to │ +│ │ Arbitrary Code Injection │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Authorization Bypass Through User-Controlled Key in │ +│ │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hgjh-723h-mx2j │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Insufficient validation when decoding a Socket.IO │ +│ │ packet │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qm95-pgcg-qqfq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Prototype Pollution in minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>tar>mkdirp>minimist │ +│ │ │ +│ │ .>karma>log4js>streamroller>mkdirp>minimist │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why minimist\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Prototype Pollution in minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.2.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>rc>minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ json-schema is vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ json-schema │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ .>karma>log4js>loggly>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why json-schema\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ form-data uses unsafe random function in form-data for │ +│ │ choosing boundary │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ form-data │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>form-data │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>form-data │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>form- │ +│ │ data │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why form-data\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fjxv-7rqg-78g4 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Arbitrary Code Execution in underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.3.2 <1.12.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.12.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp- │ +│ │ connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has a NO_PROXY Hostname Normalization Bypass │ +│ │ Leads to SSRF │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3p68-rc4w-qgx5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has Unrestricted Cloud Metadata Exfiltration via │ +│ │ Header Injection Chain │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fvcv-3m26-pcqx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Node-Redis potential exponential regex in monitor mode │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ redis │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.6.0 <3.1.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>redis │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35q2-47q7-3pc3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ degenerator │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>degenerator │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Cookie exposure in requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>slack-node>requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hjp8-2cm3-cc45 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Denial of Service in axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.18.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Regular Expression Denial of Service in timespan │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ timespan │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.3.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>timespan │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f523-2f5j-gfcg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ decode-uri-component vulnerable to Denial of Service │ +│ │ (DoS) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ decode-uri-component │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >source-map-resolve>decode-uri-component │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>extglob>expand- │ +│ │ brackets>snapdragon>source-map-resolve>decode-uri- │ +│ │ component │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>extglob>snapdrago │ +│ │ n>source-map-resolve>decode-uri-component │ +│ │ │ +│ │ ... Found 11 paths, run \`pnpm why │ +│ │ decode-uri-component\` for more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-w573-4hg7-7wgq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Validation Bypass in kind-of │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ kind-of │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.0.0 <6.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>is-accessor- │ +│ │ descriptor>kind-of │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>is-data- │ +│ │ descriptor>kind-of │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>kind-of │ +│ │ │ +│ │ ... Found 97 paths, run \`pnpm why kind-of\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Uncontrolled Resource Consumption in Hawk │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hawk │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <9.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=9.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-44pw-h2cw-w3vq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite on Windows via │ +│ │ insufficient relative path sanitization │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Denial of Service in http-proxy │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ http-proxy │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient │ +│ │ symlink protection due to directory cache poisoning │ +│ │ using symbolic links │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.0.0 <4.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient │ +│ │ symlink protection due to directory cache poisoning │ +│ │ using symbolic links │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.0.0 <4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch ReDoS vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f8q6-p94x-37v3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.0.0 <2.6.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.6.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fwr7-v2mv-hh25 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Uncontrolled resource consumption in braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces │ +│ │ │ +│ │ .>karma>chokidar>braces │ +│ │ │ +│ │ .>karma>chokidar>readdirp>micromatch>braces │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why braces\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-grv7-fg5c-xmjg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ ws affected by a DoS when handling a request with many │ +│ │ HTTP headers │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ws │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.1.0 <5.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io>ws │ +│ │ │ +│ │ .>karma>socket.io>socket.io-client>engine.io-client>ws │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3h5v-q93c-6h6q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ body-parser vulnerable to denial of service when url │ +│ │ encoding is enabled │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ body-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.20.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.20.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ ip SSRF improper categorization in isPublic │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ip │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>socks-proxy-agent>socks>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>socks-proxy- │ +│ │ agent>socks>ip │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why ip\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-2p57-rm9w-gvfp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Exposure of sensitive information in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ axios Inefficient Regular Expression Complexity │ +│ │ vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.5.0 <6.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>qs │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>qs │ +│ │ │ +│ │ .>karma>useragent>request>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.7.0 <6.7.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.7.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ hoek subject to prototype pollution via the clone │ +│ │ function. │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=6.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>hoek │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why hoek\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c429-5p7v-vgjp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>hoek │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why hoek\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Command Injection in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.7.0 <4.17.19 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.19 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ axios Requests Vulnerable To Possible SSRF and │ +│ │ Credential Leakage via Absolute URL │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jr5f-v2jv-69x6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar Vulnerable to Arbitrary File │ +│ │ Creation/Overwrite via Hardlink Path Traversal │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-34x7-hfp2-rc4v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ semver vulnerable to Regular Expression Denial of │ +│ │ Service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ semver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.0.0-alpha <5.7.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.7.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>semver │ +│ │ │ +│ │ .>karma>log4js>semver │ +│ │ │ +│ │ .>karma>useragent>semver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Nodemailer’s addressparser is vulnerable to DoS caused │ +│ │ by recursive calls │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.0.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rcmh-qjqh-p98v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Axios is Vulnerable to Denial of Service via __proto__ │ +│ │ Key in mergeConfig │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.30.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-43fc-jf86-j433 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar is Vulnerable to Arbitrary File Overwrite and │ +│ │ Symlink Poisoning via Insufficient Path Sanitization │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8qq5-rm4j-mr97 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Read/Write via Hardlink Target Escape │ +│ │ Through Symlink Chain in node-tar Extraction │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-83g3-92jg-28cx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch has a ReDoS via repeated wildcards with │ +│ │ non-matching literal in pattern │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3ppc-4f35-3m26 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch has ReDoS: matchOne() combinatorial │ +│ │ backtracking via multiple non-adjacent GLOBSTAR │ +│ │ segments │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7r86-cg39-jmmj │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch ReDoS: nested *() extglobs generate │ +│ │ catastrophically backtracking regular expressions │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-23c5-xmqv-rm74 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Underscore has unlimited recursion in _.flatten and │ +│ │ _.isEqual, potential for DoS attack │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.13.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.13.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp- │ +│ │ connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qpx9-hpmf-5gmw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ tar has Hardlink Path Traversal via Drive-Relative │ +│ │ Linkpath │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qffp-2rhf-9h96 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar Symlink Path Traversal via Drive-Relative │ +│ │ Linkpath │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9ppj-qmqm-q256 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Race Condition in node-tar Path Reservations via │ +│ │ Unicode Ligature Collisions on macOS APFS │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r6q2-hw4h-h46w │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ socket.io allows an unbounded number of binary │ +│ │ attachments │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-677m-j7p3-52f9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ lodash vulnerable to Code Injection via \`_.template\` │ +│ │ imports key names │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.24 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r5fr-rjxr-66jc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Memory Exposure in tunnel-agent │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ tunnel-agent │ @@ -1572,31 +2910,17 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in hoek │ +│ moderate │ Uncaught exception in engine.io │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ hoek │ +│ Package │ engine.io │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.2.1 │ +│ Vulnerable versions │ <3.6.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.2.1 │ +│ Patched versions │ >=3.6.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>hoek │ +│ Paths │ .>karma>socket.io>engine.io │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ json-schema is vulnerable to Prototype Pollution │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ json-schema │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>hipchat-notifier>request>http- │ -│ │ signature>jsprim>json-schema │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ +│ More info │ https://github.com/advisories/GHSA-r7qp-cfhv-p84w │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Header injection in nodemailer │ @@ -1612,30 +2936,45 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Incorrect Default Permissions in log4js │ +│ moderate │ Axios vulnerable to Server-Side Request Forgery │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ log4js │ +│ Package │ axios │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.0 │ +│ Vulnerable versions │ <0.21.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.0 │ +│ Patched versions │ >=0.21.1 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js │ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ +│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ +│ moderate │ Remote Memory Exposure in bl │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ +│ Package │ bl │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ +│ Vulnerable versions │ <1.2.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ +│ Patched versions │ >=1.2.3 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ +│ Paths │ .>karma>log4js>loggly>request>bl │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ +│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Open redirect in karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rc3x-jf5g-xvc5 │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Cross-site Scripting in karma │ @@ -1651,6 +2990,186 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` │ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Exposure of Sensitive Information to an Unauthorized │ +│ │ Actor in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Tmp files readable by other users in sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ netmask npm package mishandles octal input data │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ CORS misconfiguration in socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Incorrect Default Permissions in log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>tar>mkdirp>minimist │ +│ │ │ +│ │ .>karma>log4js>streamroller>mkdirp>minimist │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why minimist\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Server-Side Request Forgery in Request │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ request │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.88.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.88.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request │ +│ │ │ +│ │ .>karma>useragent>request │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why request\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects' Proxy-Authorization header kept │ +│ │ across hosts │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cxjh-pqwp-8mfp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Denial of service while parsing a tar file due to lack │ +│ │ of folders count validation │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f5x3-32g6-xq36 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Axios Cross-Site Request Forgery Vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.8.1 <0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ tough-cookie Prototype Pollution vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tough-cookie │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>tough-cookie │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>tough- │ +│ │ cookie │ +│ │ │ +│ │ .>karma>useragent>request>tough-cookie │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why tough-cookie\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Prototype Pollution in Ajv │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ ajv │ @@ -1661,10 +3180,1594 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ │ │ validator>ajv │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>useragent>request>har-validator>ajv │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in │ +│ │ micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.0.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.0.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch │ +│ │ │ +│ │ .>karma>chokidar>readdirp>micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-952p-6rrq-rcjv │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Insufficient validation when decoding a Socket.IO │ +│ │ packet │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cqmj-92xf-r6r9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ socket.io has an unhandled 'error' event │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-25hc-qcg6-38wj │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ word-wrap vulnerable to Regular Expression Denial of │ +│ │ Service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ word-wrap │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac- │ +│ │ resolver>degenerator>escodegen>optionator>word-wrap │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j8xg-fqg3-53r7 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in node-jsonpointer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ jsonpointer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>har-validator>is-my- │ +│ │ json-valid>jsonpointer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ parse-uri Regular expression Denial of Service (ReDoS) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ parseuri │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>parseuri │ +│ │ │ +│ │ .>karma>socket.io>socket.io-client>parseuri │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6fx8-h7jm-663j │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ useragent Regular Expression Denial of Service │ +│ │ vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ useragent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.3.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>useragent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-mgfv-m47x-4wqp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ nodemailer ReDoS when trying to send a specially │ +│ │ crafted email │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=6.9.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.9.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9h6g-pr28-7cqp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Follow Redirects improperly handles URLs in the │ +│ │ url.parse() function │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jchw-25xp-jwwc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Nodemailer: Email to an unintended domain can occur │ +│ │ due to Interpretation Conflict │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.0.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-mm7p-fcc7-pg87 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Lodash has Prototype Pollution Vulnerability in │ +│ │ \`_.unset\` and \`_.omit\` functions │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <=4.17.22 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xxjr-mmjv-4gpg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Open redirect in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Path traversal in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ url-parse incorrectly parses hostname / protocol due │ +│ │ to unstripped leading control characters. │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jf5r-8hm2-f872 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ url-parse Incorrectly parses URLs that include an '@' │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8v38-pw62-9cw2 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Authorization bypass in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ ajv has ReDoS when using \`$data\` option │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.14.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>useragent>request>har-validator>ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ qs's arrayLimit bypass in its bracket notation allows │ +│ │ DoS via memory exhaustion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>request>qs │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>qs │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why qs\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6rw7-vpxm-498p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ brace-expansion: Zero-step sequence causes process │ +│ │ hang and memory exhaustion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ brace-expansion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.13 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.13 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>glob>minimatch>brace-expansion │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why brace-expansion\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f886-m6hf-6m8v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ lodash vulnerable to Prototype Pollution via array │ +│ │ path bypass in \`_.unset\` and \`_.omit\` │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.24 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f23m-r3pf-42rh │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Nodemailer Vulnerable to SMTP Command Injection via │ +│ │ CRLF in Transport name Option (EHLO/HELO) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=8.0.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=8.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vvjj-xcjg-gr5g │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects leaks Custom Authentication Headers │ +│ │ to Cross-Domain Redirect Targets │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.12 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r4q5-vmmm-2653 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ Regular Expression Denial of Service in debug │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ debug │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <4.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>debug │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-gxpj-cx7g-858c │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ Regular Expression Denial of Service in debug │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ debug │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.2.0 <3.2.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.2.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>needle>debug │ +│ │ │ +│ │ .>karma>http-proxy>follow-redirects>debug │ +│ │ │ +│ │ .>karma>log4js>debug │ +│ │ │ +│ │ ... Found 6 paths, run \`pnpm why debug\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-gxpj-cx7g-858c │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ cookie accepts cookie name, path, and domain with out │ +│ │ of bounds characters │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ cookie │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.7.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.7.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io>cookie │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pxg6-pf52-xh8x │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ brace-expansion Regular Expression Denial of Service │ +│ │ vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ brace-expansion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <=1.1.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.12 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>glob>minimatch>brace-expansion │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why brace-expansion\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-v6h2-p8h4-qcjw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ tmp allows arbitrary temporary file / directory write │ +│ │ via symbolic link \`dir\` parameter │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tmp │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.2.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>tmp │ +│ │ │ +│ │ .>karma>useragent>tmp │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-52f5-9888-hmc6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ qs's arrayLimit bypass in comma parsing allows denial │ +│ │ of service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.7.0 <=6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-w7fw-mjwx-w883 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ NPM IP package incorrectly identifies some private IP │ +│ │ addresses as public │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ip │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>socks-proxy-agent>socks>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>socks-proxy- │ +│ │ agent>socks>ip │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why ip\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-78xj-cgh5-2h22 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ Nodemailer has SMTP command injection due to │ +│ │ unsanitized \`envelope.size\` parameter │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <8.0.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=8.0.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c7w3-x93f-qmm8 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +111 vulnerabilities found +Severity: 8 low | 42 moderate | 46 high | 15 critical" +`; + +exports[`plugin-commands-audit audit: advisories in ignoreGhsas do not show up 1`] = ` +"┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Command injection in nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Improper parsing of octal bytes in netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Malware in fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.2.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xv2f-5jw4-v95m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Code injection in fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.2.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8r6j-v8pm-fqw3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ xmlhttprequest and xmlhttprequest-ssl vulnerable to │ +│ │ Arbitrary Code Injection │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>xmlhttprequest-ssl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Authorization Bypass Through User-Controlled Key in │ +│ │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hgjh-723h-mx2j │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Insufficient validation when decoding a Socket.IO │ +│ │ packet │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qm95-pgcg-qqfq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Prototype Pollution in minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>tar>mkdirp>minimist │ +│ │ │ +│ │ .>karma>log4js>streamroller>mkdirp>minimist │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why minimist\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Prototype Pollution in minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.2.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>rc>minimist │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ json-schema is vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ json-schema │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ .>karma>log4js>loggly>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>http- │ +│ │ signature>jsprim>json-schema │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why json-schema\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ form-data uses unsafe random function in form-data for │ +│ │ choosing boundary │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ form-data │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>form-data │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>form-data │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>form- │ +│ │ data │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why form-data\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fjxv-7rqg-78g4 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Arbitrary Code Execution in underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.3.2 <1.12.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.12.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp- │ +│ │ connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has a NO_PROXY Hostname Normalization Bypass │ +│ │ Leads to SSRF │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3p68-rc4w-qgx5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ critical │ Axios has Unrestricted Cloud Metadata Exfiltration via │ +│ │ Header Injection Chain │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.31.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fvcv-3m26-pcqx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Node-Redis potential exponential regex in monitor mode │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ redis │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.6.0 <3.1.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>redis │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35q2-47q7-3pc3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ degenerator │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>degenerator │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Cookie exposure in requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>slack-node>requestretry │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hjp8-2cm3-cc45 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Regular Expression Denial of Service in timespan │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ timespan │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.3.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>timespan │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f523-2f5j-gfcg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ decode-uri-component vulnerable to Denial of Service │ +│ │ (DoS) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ decode-uri-component │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >source-map-resolve>decode-uri-component │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>extglob>expand- │ +│ │ brackets>snapdragon>source-map-resolve>decode-uri- │ +│ │ component │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>extglob>snapdrago │ +│ │ n>source-map-resolve>decode-uri-component │ +│ │ │ +│ │ ... Found 11 paths, run \`pnpm why │ +│ │ decode-uri-component\` for more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-w573-4hg7-7wgq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Validation Bypass in kind-of │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ kind-of │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.0.0 <6.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>is-accessor- │ +│ │ descriptor>kind-of │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>is-data- │ +│ │ descriptor>kind-of │ +│ │ │ +│ │ .>karma>chokidar>anymatch>micromatch>braces>snapdragon │ +│ │ >base>define-property>is-descriptor>kind-of │ +│ │ │ +│ │ ... Found 97 paths, run \`pnpm why kind-of\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Uncontrolled Resource Consumption in Hawk │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hawk │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <9.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=9.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-44pw-h2cw-w3vq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite on Windows via │ +│ │ insufficient relative path sanitization │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Denial of Service in http-proxy │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ http-proxy │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.18.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient │ +│ │ symlink protection due to directory cache poisoning │ +│ │ using symbolic links │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.0.0 <4.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient │ +│ │ symlink protection due to directory cache poisoning │ +│ │ using symbolic links │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.0.0 <4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch ReDoS vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f8q6-p94x-37v3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.0.0 <2.6.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.6.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>async │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fwr7-v2mv-hh25 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Uncontrolled resource consumption in braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.0.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch>braces │ +│ │ │ +│ │ .>karma>chokidar>braces │ +│ │ │ +│ │ .>karma>chokidar>readdirp>micromatch>braces │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why braces\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-grv7-fg5c-xmjg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ ws affected by a DoS when handling a request with many │ +│ │ HTTP headers │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ws │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.1.0 <5.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io>ws │ +│ │ │ +│ │ .>karma>socket.io>socket.io-client>engine.io-client>ws │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3h5v-q93c-6h6q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ body-parser vulnerable to denial of service when url │ +│ │ encoding is enabled │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ body-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.20.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.20.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qwcr-r2fm-qrc7 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ ip SSRF improper categorization in isPublic │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ip │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>socks-proxy-agent>socks>ip │ +│ │ │ +│ │ .>karma>log4js>mailgun-js>proxy-agent>socks-proxy- │ +│ │ agent>socks>ip │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why ip\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-2p57-rm9w-gvfp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Exposure of sensitive information in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.5.0 <6.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>qs │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>qs │ +│ │ │ +│ │ .>karma>useragent>request>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ qs vulnerable to Prototype Pollution │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.7.0 <6.7.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.7.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hrpp-h998-j3pp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ hoek subject to prototype pollution via the clone │ +│ │ function. │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=6.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>hoek │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why hoek\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c429-5p7v-vgjp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>hawk>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek │ +│ │ │ +│ │ .>karma>log4js>loggly>request>hawk>hoek │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why hoek\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Command Injection in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=3.7.0 <4.17.19 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.19 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ axios Requests Vulnerable To Possible SSRF and │ +│ │ Credential Leakage via Absolute URL │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jr5f-v2jv-69x6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar Vulnerable to Arbitrary File │ +│ │ Creation/Overwrite via Hardlink Path Traversal │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-34x7-hfp2-rc4v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ semver vulnerable to Regular Expression Denial of │ +│ │ Service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ semver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.0.0-alpha <5.7.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.7.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>semver │ +│ │ │ +│ │ .>karma>log4js>semver │ +│ │ │ +│ │ .>karma>useragent>semver │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Nodemailer’s addressparser is vulnerable to DoS caused │ +│ │ by recursive calls │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.0.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rcmh-qjqh-p98v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Axios is Vulnerable to Denial of Service via __proto__ │ +│ │ Key in mergeConfig │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.30.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.30.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-43fc-jf86-j433 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar is Vulnerable to Arbitrary File Overwrite and │ +│ │ Symlink Poisoning via Insufficient Path Sanitization │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8qq5-rm4j-mr97 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Read/Write via Hardlink Target Escape │ +│ │ Through Symlink Chain in node-tar Extraction │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-83g3-92jg-28cx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch has a ReDoS via repeated wildcards with │ +│ │ non-matching literal in pattern │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-3ppc-4f35-3m26 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch has ReDoS: matchOne() combinatorial │ +│ │ backtracking via multiple non-adjacent GLOBSTAR │ +│ │ segments │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7r86-cg39-jmmj │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ minimatch ReDoS: nested *() extglobs generate │ +│ │ catastrophically backtracking regular expressions │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ minimatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch │ +│ │ │ +│ │ .>karma>glob>minimatch │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why minimatch\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-23c5-xmqv-rm74 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Underscore has unlimited recursion in _.flatten and │ +│ │ _.isEqual, potential for DoS attack │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.13.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.13.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp- │ +│ │ connection>httpntlm>underscore │ +│ │ │ +│ │ .>karma>log4js>nodemailer>nodemailer-smtp- │ +│ │ transport>smtp-connection>httpntlm>underscore │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qpx9-hpmf-5gmw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ tar has Hardlink Path Traversal via Drive-Relative │ +│ │ Linkpath │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qffp-2rhf-9h96 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ node-tar Symlink Path Traversal via Drive-Relative │ +│ │ Linkpath │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.10 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9ppj-qmqm-q256 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ Race Condition in node-tar Path Reservations via │ +│ │ Unicode Ligature Collisions on macOS APFS │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=7.5.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.5.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r6q2-hw4h-h46w │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ socket.io allows an unbounded number of binary │ +│ │ attachments │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-677m-j7p3-52f9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ high │ lodash vulnerable to Code Injection via \`_.template\` │ +│ │ imports key names │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.24 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r5fr-rjxr-66jc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Memory Exposure in tunnel-agent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tunnel-agent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>tunnel-agent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Uncaught exception in engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>engine.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r7qp-cfhv-p84w │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Header injection in nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.6.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Remote Memory Exposure in bl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ bl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>bl │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Open redirect in karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.16 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rc3x-jf5g-xvc5 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Cross-site Scripting in karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.14 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.14 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ │ moderate │ Exposure of Sensitive Information to an Unauthorized │ │ │ Actor in follow-redirects │ ├─────────────────────┼────────────────────────────────────────────────────────┤ @@ -1674,2196 +4777,3066 @@ exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up 1`] = ` ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ >=1.14.8 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ +│ Paths │ .>karma>http-proxy>follow-redirects │ │ │ │ -│ │ .>karma>http-proxy>follow-redirects │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ └─────────────────────┴────────────────────────────────────────────────────────┘ -46 vulnerabilities found -Severity: 4 low | 17 moderate (1 ignored) | 21 high (3 ignored) | 4 critical" +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Tmp files readable by other users in sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.6.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>sync-exec │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ netmask npm package mishandles octal input data │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac-resolver>netmask │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ CORS misconfiguration in socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Incorrect Default Permissions in log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Server-Side Request Forgery in Request │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ request │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.88.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.88.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request │ +│ │ │ +│ │ .>karma>useragent>request │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why request\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects' Proxy-Authorization header kept │ +│ │ across hosts │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cxjh-pqwp-8mfp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Denial of service while parsing a tar file due to lack │ +│ │ of folders count validation │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.2.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f5x3-32g6-xq36 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Axios Cross-Site Request Forgery Vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.8.1 <0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=0.28.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>axios │ +│ │ │ +│ │ .>axios │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ tough-cookie Prototype Pollution vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ tough-cookie │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.1.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>tough-cookie │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>tough- │ +│ │ cookie │ +│ │ │ +│ │ .>karma>useragent>request>tough-cookie │ +│ │ │ +│ │ ... Found 4 paths, run \`pnpm why tough-cookie\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in Ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.12.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.12.3 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>useragent>request>har-validator>ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in │ +│ │ micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.0.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.0.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>anymatch>micromatch │ +│ │ │ +│ │ .>karma>chokidar>readdirp>micromatch │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-952p-6rrq-rcjv │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Insufficient validation when decoding a Socket.IO │ +│ │ packet │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>socket.io-parser │ +│ │ │ +│ │ .>karma>socket.io>socket.io-parser │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cqmj-92xf-r6r9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ socket.io has an unhandled 'error' event │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-25hc-qcg6-38wj │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ word-wrap vulnerable to Regular Expression Denial of │ +│ │ Service │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ word-wrap │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ +│ │ agent>pac- │ +│ │ resolver>degenerator>escodegen>optionator>word-wrap │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j8xg-fqg3-53r7 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in node-jsonpointer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ jsonpointer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>loggly>request>har-validator>is-my- │ +│ │ json-valid>jsonpointer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ parse-uri Regular expression Denial of Service (ReDoS) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ parseuri │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ +│ │ client>parseuri │ +│ │ │ +│ │ .>karma>socket.io>socket.io-client>parseuri │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6fx8-h7jm-663j │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ useragent Regular Expression Denial of Service │ +│ │ vulnerability │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ useragent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.3.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>useragent │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-mgfv-m47x-4wqp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ nodemailer ReDoS when trying to send a specially │ +│ │ crafted email │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=6.9.8 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.9.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9h6g-pr28-7cqp │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Follow Redirects improperly handles URLs in the │ +│ │ url.parse() function │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jchw-25xp-jwwc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Nodemailer: Email to an unintended domain can occur │ +│ │ due to Interpretation Conflict │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <7.0.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=7.0.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-mm7p-fcc7-pg87 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Lodash has Prototype Pollution Vulnerability in │ +│ │ \`_.unset\` and \`_.omit\` functions │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=4.0.0 <=4.17.22 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xxjr-mmjv-4gpg │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Open redirect in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.2 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Path traversal in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ url-parse incorrectly parses hostname / protocol due │ +│ │ to unstripped leading control characters. │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.9 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jf5r-8hm2-f872 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ url-parse Incorrectly parses URLs that include an '@' │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.0.0 <1.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.7 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-8v38-pw62-9cw2 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Authorization bypass in url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=0.1.0 <1.5.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.6 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>amqplib>url-parse │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ ajv has ReDoS when using \`$data\` option │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.14.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.0 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>har- │ +│ │ validator>ajv │ +│ │ │ +│ │ .>karma>useragent>request>har-validator>ajv │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ qs's arrayLimit bypass in its bracket notation allows │ +│ │ DoS via memory exhaustion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ qs │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=6.14.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>body-parser>qs │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>request>qs │ +│ │ │ +│ │ .>karma>log4js>slack-node>requestretry>request>qs │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why qs\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6rw7-vpxm-498p │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ brace-expansion: Zero-step sequence causes process │ +│ │ hang and memory exhaustion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ brace-expansion │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.13 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.13 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>npm- │ +│ │ packlist>ignore-walk>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>chokidar>fsevents>node-pre- │ +│ │ gyp>rimraf>glob>minimatch>brace-expansion │ +│ │ │ +│ │ .>karma>glob>minimatch>brace-expansion │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why brace-expansion\` for │ +│ │ more information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f886-m6hf-6m8v │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ lodash vulnerable to Prototype Pollution via array │ +│ │ path bypass in \`_.unset\` and \`_.omit\` │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=4.17.23 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.24 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>combine-lists>lodash │ +│ │ │ +│ │ .>karma>lodash │ +│ │ │ +│ │ .>karma>log4js>hipchat-notifier>lodash │ +│ │ │ +│ │ ... Found 5 paths, run \`pnpm why lodash\` for more │ +│ │ information │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f23m-r3pf-42rh │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Nodemailer Vulnerable to SMTP Command Injection via │ +│ │ CRLF in Transport name Option (EHLO/HELO) │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=8.0.4 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=8.0.5 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>log4js>nodemailer │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vvjj-xcjg-gr5g │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ follow-redirects leaks Custom Authentication Headers │ +│ │ to Cross-Domain Redirect Targets │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=1.15.11 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.15.12 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Paths │ .>karma>http-proxy>follow-redirects │ +│ │ │ +│ │ .>karma>log4js>axios>follow-redirects │ +│ │ │ +│ │ .>axios>follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-r4q5-vmmm-2653 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +111 vulnerabilities found +Severity: 8 low | 42 moderate (2 ignored) | 46 high (2 ignored) | 15 critical" `; -exports[`plugin-commands-audit audit: CVEs in ignoreCves do not show up when JSON output is used 1`] = ` +exports[`plugin-commands-audit audit: advisories in ignoreGhsas do not show up when JSON output is used 1`] = ` "{ - "actions": [ - { - "action": "update", - "resolves": [ - { - "id": 1005586, - "path": ".>karma>http-proxy", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "http-proxy", - "target": "1.18.1", - "depth": 3 - }, - { - "action": "update", - "resolves": [ - { - "id": 1006110, - "path": ".>karma>chokidar>anymatch>micromatch>kind-of", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "kind-of", - "target": "6.0.3", - "depth": 6 - }, - { - "action": "update", - "resolves": [ - { - "id": 1006724, - "path": ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "jsprim", - "target": "1.4.2", - "depth": 7 - }, - { - "action": "update", - "resolves": [ - { - "id": 1006865, - "path": ".>karma>http-proxy>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007026, - "path": ".>karma>http-proxy>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "follow-redirects", - "target": "1.14.9", - "depth": 4 - }, - { - "action": "update", - "resolves": [ - { - "id": 1006948, - "path": ".>karma>lodash", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006949, - "path": ".>karma>lodash", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006952, - "path": ".>karma>lodash", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "lodash", - "target": "4.17.21", - "depth": 3 - }, - { - "action": "review", - "module": "jsonpointer", - "resolves": [ - { - "id": 1004869, - "path": ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "axios", - "resolves": [ - { - "id": 1005018, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005506, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006349, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "tar", - "resolves": [ - { - "id": 1005040, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005043, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005046, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "pac-resolver", - "resolves": [ - { - "id": 1005062, - "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "url-parse", - "resolves": [ - { - "id": 1005084, - "path": ".>karma>log4js>amqplib>url-parse", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005404, - "path": ".>karma>log4js>amqplib>url-parse", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007030, - "path": ".>karma>log4js>amqplib>url-parse", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "socket.io-parser", - "resolves": [ - { - "id": 1005107, - "path": ".>karma>socket.io>socket.io-parser", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "xmlhttprequest-ssl", - "resolves": [ - { - "id": 1005175, - "path": ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005260, - "path": ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "redis", - "resolves": [ - { - "id": 1005277, - "path": ".>karma>log4js>redis", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "nodemailer", - "resolves": [ - { - "id": 1005307, - "path": ".>karma>log4js>nodemailer", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006788, - "path": ".>karma>log4js>nodemailer", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "underscore", - "resolves": [ - { - "id": 1005367, - "path": ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "netmask", - "resolves": [ - { - "id": 1005392, - "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006822, - "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "socket.io", - "resolves": [ - { - "id": 1005490, - "path": ".>karma>socket.io", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "bl", - "resolves": [ - { - "id": 1005563, - "path": ".>karma>log4js>loggly>request>bl", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "timespan", - "resolves": [ - { - "id": 1005745, - "path": ".>karma>log4js>loggly>timespan", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "sync-exec", - "resolves": [ - { - "id": 1005902, - "path": ".>sync-exec", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "minimist", - "resolves": [ - { - "id": 1006180, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006180, - "path": ".>karma>optimist>minimist", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "braces", - "resolves": [ - { - "id": 1006342, - "path": ".>karma>expand-braces>braces", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006837, - "path": ".>karma>expand-braces>braces", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "tunnel-agent", - "resolves": [ - { - "id": 1006373, - "path": ".>karma>log4js>loggly>request>tunnel-agent", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "cryptiles", - "resolves": [ - { - "id": 1006603, - "path": ".>karma>log4js>loggly>request>hawk>cryptiles", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "hoek", - "resolves": [ - { - "id": 1006659, - "path": ".>karma>log4js>loggly>request>hawk>hoek", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "follow-redirects", - "resolves": [ - { - "id": 1006865, - "path": ".>axios>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007026, - "path": ".>axios>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "log4js", - "resolves": [ - { - "id": 1006902, - "path": ".>karma>log4js", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "glob-parent", - "resolves": [ - { - "id": 1006947, - "path": ".>karma>chokidar>glob-parent", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "engine.io", - "resolves": [ - { - "id": 1006975, - "path": ".>karma>socket.io>engine.io", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "karma", - "resolves": [ - { - "id": 1006997, - "path": ".>karma", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "ajv", - "resolves": [ - { - "id": 1007017, - "path": ".>karma>log4js>hipchat-notifier>request>har-validator>ajv", - "dev": false, - "optional": false, - "bundled": false - } - ] - } - ], "advisories": { - "1004869": { - "findings": [ - { - "version": "4.0.1", - "paths": [ - ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<5.0.0", - "module_name": "jsonpointer", - "severity": "moderate", - "github_advisory_id": "GHSA-282f-qqgm-c34q", - "cves": [ - "CVE-2021-23807" - ], - "access": "public", - "patched_versions": ">=5.0.0", - "updated": "2021-11-04T16:58:08.000Z", - "recommendation": "Upgrade to version 5.0.0 or later", - "cwe": "CWE-843", - "found_by": null, - "deleted": null, - "id": 1004869, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23807\\n- https://github.com/janl/node-jsonpointer/pull/51\\n- https://github.com/janl/node-jsonpointer/commit/a0345f3550cd9c4d89f33b126390202b89510ad4\\n- https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577288\\n- https://github.com/advisories/GHSA-282f-qqgm-c34q", - "created": "2021-11-18T16:00:48.459Z", - "reported_by": null, - "title": "Prototype Pollution in node-jsonpointer", - "npm_advisory_id": null, - "overview": "This affects the package \`jsonpointer\` before \`5.0.0\`. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.", - "url": "https://github.com/advisories/GHSA-282f-qqgm-c34q" - }, - "1005040": { - "findings": [ - { - "version": "4.4.15", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>tar" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.4.18", - "module_name": "tar", - "severity": "high", - "github_advisory_id": "GHSA-5955-9wpr-37jh", - "cves": [ - "CVE-2021-37713" - ], - "access": "public", - "patched_versions": ">=4.4.18", - "updated": "2021-08-31T16:02:33.000Z", - "recommendation": "Upgrade to version 4.4.18 or later", - "cwe": "CWE-22", - "found_by": null, - "deleted": null, - "id": 1005040, - "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh\\n- https://www.npmjs.com/package/tar\\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37713\\n- https://www.oracle.com/security-alerts/cpuoct2021.html\\n- https://github.com/advisories/GHSA-5955-9wpr-37jh", - "created": "2021-11-18T16:00:48.492Z", - "reported_by": null, - "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", - "npm_advisory_id": null, - "overview": "### Impact\\n\\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\\n\\nnode-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory.\\n\\nThis logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\\\path\`. If the drive letter does not match the extraction target, for example \`D:\\\\extraction\\\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory.\\n\\nAdditionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path.\\n\\nThis only affects users of \`node-tar\` on Windows systems.\\n\\n### Patches\\n\\n4.4.18 || 5.0.10 || 6.1.9\\n\\n### Workarounds\\n\\nThere is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.\\n\\nUsers are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.\\n\\n### Fix\\n\\nThe fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not \\"absolute\\".\\n\\nAdditionally, a path starting with a drive letter and then two dots, like \`c:../\`, would bypass the check for \`..\` path portions. This is checked properly in the patched versions.\\n\\nFinally, a defense in depth check is added, such that if the \`entry.absolute\` is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.\\n", - "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh" - }, - "1005043": { - "findings": [ - { - "version": "4.4.15", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>tar" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.4.18", - "module_name": "tar", - "severity": "high", - "github_advisory_id": "GHSA-qq89-hq3f-393p", - "cves": [ - "CVE-2021-37712" - ], - "access": "public", - "patched_versions": ">=4.4.18", - "updated": "2021-08-31T16:02:05.000Z", - "recommendation": "Upgrade to version 4.4.18 or later", - "cwe": "CWE-22", - "found_by": null, - "deleted": null, - "id": 1005043, - "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p\\n- https://www.npmjs.com/package/tar\\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37712\\n- https://www.oracle.com/security-alerts/cpuoct2021.html\\n- https://www.debian.org/security/2021/dsa-5008\\n- https://github.com/advisories/GHSA-qq89-hq3f-393p", - "created": "2021-11-18T16:00:48.493Z", - "reported_by": null, - "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", - "npm_advisory_id": null, - "overview": "### Impact\\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\\n\\nnode-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\\n\\nThis logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \\"short path\\" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\\n\\nThe v3 branch of \`node-tar\` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of \`node-tar\`. If this is not possible, a workaround is available below.\\n\\n### Patches\\n\\n6.1.9 || 5.0.10 || 4.4.18\\n\\n### Workarounds\\n\\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\\n\\n\`\`\`js\\nconst tar = require('tar')\\n\\ntar.x({\\n file: 'archive.tgz',\\n filter: (file, entry) => {\\n if (entry.type === 'SymbolicLink') {\\n return false\\n } else {\\n return true\\n }\\n }\\n})\\n\`\`\`\\n\\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\\n\\n#### Fix\\n\\nThe problem is addressed in the following ways, when comparing paths in the directory cache and path reservation systems:\\n\\n1. The \`String.normalize('NFKD')\` method is used to first normalize all unicode to its maximally compatible and multi-code-point form.\\n2. All slashes are normalized to \`/\` on Windows systems (on posix systems, \`\\\\\` is a valid filename character, and thus left intact).\\n3. When a symbolic link is encountered on Windows systems, the entire directory cache is cleared. Collisions related to use of 8.3 short names to replace directories with other (non-symlink) types of entries may make archives fail to extract properly, but will not result in arbitrary file writes.\\n", - "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p" - }, - "1005046": { - "findings": [ - { - "version": "4.4.15", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>tar" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.4.16", - "module_name": "tar", - "severity": "high", - "github_advisory_id": "GHSA-9r2w-394v-53qc", - "cves": [ - "CVE-2021-37701" - ], - "access": "public", - "patched_versions": ">=4.4.16", - "updated": "2021-08-31T16:01:51.000Z", - "recommendation": "Upgrade to version 4.4.16 or later", - "cwe": "CWE-22", - "found_by": null, - "deleted": null, - "id": 1005046, - "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\\n- https://www.npmjs.com/package/tar\\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37701\\n- https://www.oracle.com/security-alerts/cpuoct2021.html\\n- https://www.debian.org/security/2021/dsa-5008\\n- https://github.com/advisories/GHSA-9r2w-394v-53qc", - "created": "2021-11-18T16:00:48.493Z", - "reported_by": null, - "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", - "npm_advisory_id": null, - "overview": "### Impact\\n\\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\\n\\n\`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\\n\\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\\\` and \`/\` characters as path separators, however \`\\\\\` is a valid filename character on posix systems.\\n\\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\\n\\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \\n\\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\\n\\nThe v3 branch of \`node-tar\` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of \`node-tar\`. If this is not possible, a workaround is available below.\\n\\n### Patches\\n\\n4.4.16 || 5.0.8 || 6.1.7\\n\\n### Workarounds\\n\\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\\n\\n\`\`\`js\\nconst tar = require('tar')\\n\\ntar.x({\\n file: 'archive.tgz',\\n filter: (file, entry) => {\\n if (entry.type === 'SymbolicLink') {\\n return false\\n } else {\\n return true\\n }\\n }\\n})\\n\`\`\`\\n\\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\\n\\n### Fix\\n\\nThe problem is addressed in the following ways:\\n\\n1. All paths are normalized to use \`/\` as a path separator, replacing \`\\\\\` with \`/\` on Windows systems, and leaving \`\\\\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\\n\\n#### Caveat\\n\\nNote that this means that the \`entry\` objects exposed in various parts of tar's API will now always use \`/\` as a path separator, even on Windows systems. This is not expected to cause problems, as \`/\` is a valid path separator on Windows systems, but _may_ result in issues if \`entry.path\` is compared against a path string coming from some other API such as \`fs.realpath()\` or \`path.resolve()\`.\\n\\nUsers are encouraged to always normalize paths using a well-tested method such as \`path.resolve()\` before comparing paths to one another.", - "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc" - }, - "1005062": { - "findings": [ - { - "version": "3.0.0", - "paths": [ - ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<5.0.0", - "module_name": "pac-resolver", - "severity": "high", - "github_advisory_id": "GHSA-9j49-mfvp-vmhm", - "cves": [ - "CVE-2021-23406" - ], - "access": "public", - "patched_versions": ">=5.0.0", - "updated": "2021-08-25T19:28:31.000Z", - "recommendation": "Upgrade to version 5.0.0 or later", - "cwe": "CWE-94", - "found_by": null, - "deleted": null, - "id": 1005062, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23406\\n- https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e\\n- https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5\\n- https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506\\n- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857\\n- https://github.com/advisories/GHSA-9j49-mfvp-vmhm", - "created": "2021-11-18T16:00:48.495Z", - "reported_by": null, - "title": "Code Injection in pac-resolver", - "npm_advisory_id": null, - "overview": "This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.", - "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" - }, - "1005084": { - "findings": [ - { - "version": "1.4.7", - "paths": [ - ".>karma>log4js>amqplib>url-parse" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.5.2", - "module_name": "url-parse", - "severity": "moderate", - "github_advisory_id": "GHSA-hh27-ffr2-f2jc", - "cves": [ - "CVE-2021-3664" - ], - "access": "public", - "patched_versions": ">=1.5.2", - "updated": "2021-08-02T21:28:22.000Z", - "recommendation": "Upgrade to version 1.5.2 or later", - "cwe": "CWE-601", - "found_by": null, - "deleted": null, - "id": 1005084, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3664\\n- https://github.com/unshiftio/url-parse/issues/205\\n- https://github.com/unshiftio/url-parse/issues/206\\n- https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0\\n- https://huntr.dev/bounties/1625557993985-unshiftio/url-parse\\n- https://github.com/advisories/GHSA-hh27-ffr2-f2jc", - "created": "2021-11-18T16:00:48.498Z", - "reported_by": null, - "title": "Open redirect in url-parse", - "npm_advisory_id": null, - "overview": "# Overview\\n\\nAffected versions of npm \`url-parse\` are vulnerable to URL Redirection to Untrusted Site.\\n\\n# Impact\\n\\nDepending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.", - "url": "https://github.com/advisories/GHSA-hh27-ffr2-f2jc" - }, - "1005107": { - "findings": [ - { - "version": "3.1.3", - "paths": [ - ".>karma>socket.io>socket.io-parser" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<3.3.2", - "module_name": "socket.io-parser", - "severity": "high", - "github_advisory_id": "GHSA-xfhh-g9f5-x4m4", - "cves": [ - "CVE-2020-36049" - ], - "access": "public", - "patched_versions": ">=3.3.2", - "updated": "2021-06-30T16:54:43.000Z", - "recommendation": "Upgrade to version 3.3.2 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1005107, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-36049\\n- https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55\\n- https://blog.caller.xyz/socketio-engineio-dos/\\n- https://github.com/bcaller/kill-engine-io\\n- https://github.com/socketio/socket.io-parser/releases/tag/3.3.2\\n- https://github.com/socketio/socket.io-parser/releases/tag/3.4.1\\n- https://www.npmjs.com/package/socket.io-parser\\n- https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", - "created": "2021-11-18T16:00:48.501Z", - "reported_by": null, - "title": "Resource exhaustion in socket.io-parser", - "npm_advisory_id": null, - "overview": "The \`socket.io-parser\` npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", - "url": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4" - }, - "1005175": { - "findings": [ - { - "version": "1.5.5", - "paths": [ - ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.6.1", - "module_name": "xmlhttprequest-ssl", - "severity": "critical", - "github_advisory_id": "GHSA-72mh-269x-7mh5", - "cves": [ - "CVE-2021-31597" - ], - "access": "public", - "patched_versions": ">=1.6.1", - "updated": "2021-05-20T21:59:29.000Z", - "recommendation": "Upgrade to version 1.6.1 or later", - "cwe": "CWE-295", - "found_by": null, - "deleted": null, - "id": 1005175, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-31597\\n- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2\\n- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1\\n- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt\\n- https://security.netapp.com/advisory/ntap-20210618-0004/\\n- https://github.com/advisories/GHSA-72mh-269x-7mh5", - "created": "2021-11-18T16:00:48.519Z", - "reported_by": null, - "title": "Improper Certificate Validation in xmlhttprequest-ssl", - "npm_advisory_id": null, - "overview": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", - "url": "https://github.com/advisories/GHSA-72mh-269x-7mh5" - }, - "1005260": { - "findings": [ - { - "version": "1.5.5", - "paths": [ - ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.6.2", - "module_name": "xmlhttprequest-ssl", - "severity": "high", - "github_advisory_id": "GHSA-h4j5-c7cj-74xg", - "cves": [ - "CVE-2020-28502" - ], - "access": "public", - "patched_versions": ">=1.6.2", - "updated": "2021-05-04T18:00:49.000Z", - "recommendation": "Upgrade to version 1.6.2 or later", - "cwe": "CWE-94", - "found_by": null, - "deleted": null, - "id": 1005260, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28502\\n- https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6\\n- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480\\n- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480\\n- https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938\\n- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935\\n- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936\\n- https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291\\n- https://github.com/advisories/GHSA-h4j5-c7cj-74xg", - "created": "2021-11-18T16:00:48.526Z", - "reported_by": null, - "title": "Arbitrary Code Injection", - "npm_advisory_id": null, - "overview": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", - "url": "https://github.com/advisories/GHSA-h4j5-c7cj-74xg" - }, - "1005307": { - "findings": [ - { - "version": "2.7.2", - "paths": [ - ".>karma>log4js>nodemailer" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.4.16", - "module_name": "nodemailer", - "severity": "critical", - "github_advisory_id": "GHSA-48ww-j4fc-435p", - "cves": [ - "CVE-2020-7769" - ], - "access": "public", - "patched_versions": ">=6.4.16", - "updated": "2021-04-19T22:42:20.000Z", - "recommendation": "Upgrade to version 6.4.16 or later", - "cwe": "CWE-88", - "found_by": null, - "deleted": null, - "id": 1005307, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-7769\\n- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54\\n- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742\\n- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834\\n- https://www.npmjs.com/package/nodemailer\\n- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75\\n- https://github.com/advisories/GHSA-48ww-j4fc-435p", - "created": "2021-11-18T16:00:48.531Z", - "reported_by": null, - "title": "Command injection in nodemailer", - "npm_advisory_id": null, - "overview": "This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.", - "url": "https://github.com/advisories/GHSA-48ww-j4fc-435p" - }, - "1005367": { - "findings": [ - { - "version": "1.7.0", - "paths": [ - ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore" - ] - } - ], - "metadata": null, - "vulnerable_versions": ">=1.3.2 <1.12.1", - "module_name": "underscore", - "severity": "high", - "github_advisory_id": "GHSA-cf4h-3jhx-xvhq", - "cves": [ - "CVE-2021-23358" - ], - "access": "public", - "patched_versions": ">=1.12.1", - "updated": "2021-03-31T21:59:01.000Z", - "recommendation": "Upgrade to version 1.12.1 or later", - "cwe": "CWE-94", - "found_by": null, - "deleted": null, - "id": 1005367, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\\n- https://github.com/jashkenas/underscore/pull/2917\\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\\n- https://www.npmjs.com/package/underscore\\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\\n- https://www.debian.org/security/2021/dsa-4883\\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\\n- https://www.tenable.com/security/tns-2021-14\\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", - "created": "2021-11-18T16:00:48.535Z", - "reported_by": null, - "title": "Arbitrary Code Execution in underscore", - "npm_advisory_id": null, - "overview": "The package \`underscore\` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", - "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq" - }, - "1005392": { - "findings": [ - { - "version": "1.0.6", - "paths": [ - ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<2.0.1", - "module_name": "netmask", - "severity": "moderate", - "github_advisory_id": "GHSA-pch5-whg9-qr2r", - "cves": [ - "CVE-2021-29418" - ], - "access": "public", - "patched_versions": ">=2.0.1", - "updated": "2021-03-29T21:31:25.000Z", - "recommendation": "Upgrade to version 2.0.1 or later", - "cwe": "CWE-20", - "found_by": null, - "deleted": null, - "id": 1005392, - "references": "- https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4\\n- https://sick.codes/sick-2021-011\\n- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/\\n- https://www.npmjs.com/package/netmask\\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29418\\n- https://vuln.ryotak.me/advisories/6\\n- https://security.netapp.com/advisory/ntap-20210604-0001/\\n- https://github.com/advisories/GHSA-pch5-whg9-qr2r", - "created": "2021-11-18T16:00:48.537Z", - "reported_by": null, - "title": "netmask npm package vulnerable to octal input data", - "npm_advisory_id": null, - "overview": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.", - "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r" - }, - "1005404": { - "findings": [ - { - "version": "1.4.7", - "paths": [ - ".>karma>log4js>amqplib>url-parse" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.5.0", - "module_name": "url-parse", - "severity": "high", - "github_advisory_id": "GHSA-9m6j-fcg5-2442", - "cves": [ - "CVE-2021-27515" - ], - "access": "public", - "patched_versions": ">=1.5.0", - "updated": "2021-03-22T21:04:52.000Z", - "recommendation": "Upgrade to version 1.5.0 or later", - "cwe": "CWE-23", - "found_by": null, - "deleted": null, - "id": 1005404, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-27515\\n- https://github.com/unshiftio/url-parse/pull/197\\n- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0\\n- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0\\n- https://advisory.checkmarx.net/advisory/CX-2021-4306\\n- https://github.com/advisories/GHSA-9m6j-fcg5-2442", - "created": "2021-11-18T16:00:48.538Z", - "reported_by": null, - "title": "Path traversal in url-parse", - "npm_advisory_id": null, - "overview": "url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\\\/ and interprets the URI as a relative path.", - "url": "https://github.com/advisories/GHSA-9m6j-fcg5-2442" - }, - "1005490": { - "findings": [ - { - "version": "2.0.4", - "paths": [ - ".>karma>socket.io" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<2.4.0", - "module_name": "socket.io", - "severity": "moderate", - "github_advisory_id": "GHSA-fxwf-4rqh-v8g3", - "cves": [ - "CVE-2020-28481" - ], - "access": "public", - "patched_versions": ">=2.4.0", - "updated": "2021-01-20T05:39:25.000Z", - "recommendation": "Upgrade to version 2.4.0 or later", - "cwe": "CWE-346", - "found_by": null, - "deleted": null, - "id": 1005490, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28481\\n- https://github.com/socketio/socket.io/issues/3671\\n- https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357\\n- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859\\n- https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", - "created": "2021-11-18T16:00:48.545Z", - "reported_by": null, - "title": "Insecure defaults due to CORS misconfiguration in socket.io", - "npm_advisory_id": null, - "overview": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", - "url": "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3" - }, - "1005563": { - "findings": [ - { - "version": "1.1.2", - "paths": [ - ".>karma>log4js>loggly>request>bl" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.2.3", - "module_name": "bl", - "severity": "high", - "github_advisory_id": "GHSA-pp7h-53gx-mx7r", - "cves": [ - "CVE-2020-8244" - ], - "access": "public", - "patched_versions": ">=1.2.3", - "updated": "2020-09-08T19:01:38.000Z", - "recommendation": "Upgrade to version 1.2.3 or later", - "cwe": "CWE-125", - "found_by": null, - "deleted": null, - "id": 1005563, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-8244\\n- https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e\\n- https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190\\n- https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466\\n- https://hackerone.com/reports/966347\\n- https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "created": "2021-11-18T16:00:48.550Z", - "reported_by": null, - "title": "Remote Memory Exposure in bl", - "npm_advisory_id": null, - "overview": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r" - }, - "1005586": { - "findings": [ - { - "version": "1.18.0", - "paths": [ - ".>karma>http-proxy" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.18.1", - "module_name": "http-proxy", - "severity": "high", - "github_advisory_id": "GHSA-6x33-pw7p-hmpq", - "cves": [], - "access": "public", - "patched_versions": ">=1.18.1", - "updated": "2020-08-31T19:01:07.000Z", - "recommendation": "Upgrade to version 1.18.1 or later", - "cwe": "", - "found_by": null, - "deleted": null, - "id": 1005586, - "references": "- https://github.com/http-party/node-http-proxy/pull/1447/files\\n- https://www.npmjs.com/advisories/1486\\n- https://github.com/advisories/GHSA-6x33-pw7p-hmpq", - "created": "2021-11-18T16:00:48.552Z", - "reported_by": null, - "title": "Denial of Service in http-proxy", - "npm_advisory_id": null, - "overview": "Versions of \`http-proxy\` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an \`ERR_HTTP_HEADERS_SENT\` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the \`proxyReq.setHeader\` function. \\n\\nFor a proxy server running on \`http://localhost:3000\`, the following curl request triggers the unhandled exception: \\n\`\`\`curl -XPOST http://localhost:3000 -d \\"$(python -c 'print(\\"x\\"*1025)')\\"\`\`\`\\n\\n\\n## Recommendation\\n\\nUpgrade to version 1.18.1 or later", - "url": "https://github.com/advisories/GHSA-6x33-pw7p-hmpq" - }, - "1005902": { - "findings": [ - { - "version": "0.6.2", - "paths": [ - ".>sync-exec" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.6.2", - "module_name": "sync-exec", - "severity": "moderate", - "github_advisory_id": "GHSA-38h8-x697-gh8q", - "cves": [ - "CVE-2017-16024" - ], - "access": "public", - "patched_versions": "<0.0.0", - "updated": "2020-08-31T18:18:48.000Z", - "recommendation": "None", - "cwe": "CWE-377", - "found_by": null, - "deleted": null, - "id": 1005902, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16024\\n- https://github.com/gvarsanyi/sync-exec/issues/17\\n- https://cwe.mitre.org/data/definitions/377.html\\n- https://github.com/advisories/GHSA-38h8-x697-gh8q\\n- https://www.npmjs.com/advisories/310\\n- https://nodesecurity.io/advisories/310\\n- https://www.owasp.org/index.php/Insecure_Temporary_File", - "created": "2021-11-18T16:00:48.581Z", - "reported_by": null, - "title": "Tmp files readable by other users in sync-exec", - "npm_advisory_id": null, - "overview": "Affected versions of \`sync-exec\` use files located in \`/tmp/\` to buffer command results before returning values. As \`/tmp/\` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via \`sync-exec\` under a higher privilege user.\\n\\n\\n## Recommendation\\n\\nThere is currently no direct patch for \`sync-exec\`, as the \`child_process.execSync\` function provided in Node.js v0.12.0 and later provides the same functionality natively. \\n\\nThe best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of \`sync-exec\` to \`child_process.execSync()\`.", - "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q" - }, - "1006110": { - "findings": [ - { - "version": "6.0.2", - "paths": [ - ".>karma>chokidar>anymatch>micromatch>kind-of" - ] - } - ], - "metadata": null, - "vulnerable_versions": ">=6.0.0 <6.0.3", - "module_name": "kind-of", - "severity": "high", - "github_advisory_id": "GHSA-6c8f-qphg-qjgp", - "cves": [ - "CVE-2019-20149" - ], - "access": "public", - "patched_versions": ">=6.0.3", - "updated": "2020-07-01T18:33:47.000Z", - "recommendation": "Upgrade to version 6.0.3 or later", - "cwe": "CWE-668", - "found_by": null, - "deleted": null, - "id": 1006110, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-20149\\n- https://github.com/jonschlinkert/kind-of/issues/30\\n- https://github.com/jonschlinkert/kind-of/pull/31\\n- https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b\\n- https://snyk.io/vuln/SNYK-JS-KINDOF-537849\\n- https://www.npmjs.com/advisories/1490\\n- https://github.com/advisories/GHSA-6c8f-qphg-qjgp", - "created": "2021-11-18T16:00:48.599Z", - "reported_by": null, - "title": "Validation Bypass in kind-of", - "npm_advisory_id": null, - "overview": "Versions of \`kind-of\` 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation. \\n\\n\\n## Recommendation\\n\\nUpgrade to versions 6.0.3 or later.", - "url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp" - }, - "1006373": { + "1085744": { "findings": [ { "version": "0.4.3", "paths": [ ".>karma>log4js>loggly>request>tunnel-agent" - ] + ], + "dev": false, + "optional": true, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<0.6.0", - "module_name": "tunnel-agent", - "severity": "moderate", - "github_advisory_id": "GHSA-xc7v-wxcw-j472", - "cves": [], - "access": "public", - "patched_versions": ">=0.6.0", - "updated": "2019-06-03T17:08:06.000Z", - "recommendation": "Upgrade to version 0.6.0 or later", - "cwe": "CWE-200", - "found_by": null, - "deleted": null, - "id": 1006373, - "references": "- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\\n- https://www.npmjs.com/advisories/598\\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472", - "created": "2021-11-18T16:00:48.619Z", - "reported_by": null, + "id": 1085744, "title": "Memory Exposure in tunnel-agent", - "npm_advisory_id": null, - "overview": "Versions of \`tunnel-agent\` before 0.6.0 are vulnerable to memory exposure.\\n\\nThis is exploitable if user supplied input is provided to the auth value and is a number.\\n\\nProof-of-concept:\\n\`\`\`js\\nrequire('request')({\\n method: 'GET',\\n uri: 'http://www.example.com',\\n tunnel: true,\\n proxy:{\\n protocol: 'http:',\\n host:'127.0.0.1',\\n port:8080,\\n auth:USERSUPPLIEDINPUT // number\\n }\\n});\\n\`\`\`\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.6.0 or later.", + "module_name": "tunnel-agent", + "vulnerable_versions": "<0.6.0", + "patched_versions": ">=0.6.0", + "severity": "moderate", + "cwe": "CWE-200", + "github_advisory_id": "GHSA-xc7v-wxcw-j472", "url": "https://github.com/advisories/GHSA-xc7v-wxcw-j472" }, - "1006603": { + "1089196": { "findings": [ { - "version": "2.0.5", + "version": "2.8.0", "paths": [ - ".>karma>log4js>loggly>request>hawk>cryptiles" - ] + ".>karma>log4js>redis" + ], + "dev": false, + "optional": true, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<4.1.2", - "module_name": "cryptiles", - "severity": "critical", - "github_advisory_id": "GHSA-rq8g-5pc5-wrhr", - "cves": [ - "CVE-2018-1000620" - ], - "access": "public", - "patched_versions": ">=4.1.2", - "updated": "2018-09-11T18:22:44.000Z", - "recommendation": "Upgrade to version 4.1.2 or later", - "cwe": "CWE-331", - "found_by": null, - "deleted": null, - "id": 1006603, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-1000620\\n- https://github.com/hapijs/cryptiles/issues/34\\n- https://github.com/advisories/GHSA-rq8g-5pc5-wrhr\\n- https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json\\n- https://www.npmjs.com/advisories/720\\n- https://www.npmjs.com/advisories/1464", - "created": "2021-11-18T16:00:48.639Z", - "reported_by": null, - "title": "Insufficient Entropy in cryptiles", - "npm_advisory_id": null, - "overview": "Versions of \`cryptiles\` prior to 4.1.2 are vulnerable to Insufficient Entropy. The \`randomDigits()\` method does not provide sufficient entropy and its generates digits that are not evenly distributed.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 4.1.2. The package is deprecated and has been moved to \`@hapi/cryptiles\` and it is strongly recommended to use the maintained package.", - "url": "https://github.com/advisories/GHSA-rq8g-5pc5-wrhr" - }, - "1006659": { - "findings": [ - { - "version": "2.16.3", - "paths": [ - ".>karma>log4js>loggly>request>hawk>hoek" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.2.1", - "module_name": "hoek", - "severity": "moderate", - "github_advisory_id": "GHSA-jp4x-w63m-7wgm", - "cves": [ - "CVE-2018-3728" - ], - "access": "public", - "patched_versions": ">=4.2.1", - "updated": "2018-04-27T13:38:53.000Z", - "recommendation": "Upgrade to version 4.2.1 or later", - "cwe": "CWE-471", - "found_by": null, - "deleted": null, - "id": 1006659, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3728\\n- https://hackerone.com/reports/310439\\n- https://github.com/advisories/GHSA-jp4x-w63m-7wgm\\n- https://www.npmjs.com/advisories/566\\n- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee\\n- https://access.redhat.com/errata/RHSA-2018:1263\\n- https://access.redhat.com/errata/RHSA-2018:1264\\n- https://nodesecurity.io/advisories/566\\n- https://snyk.io/vuln/npm:hoek:20180212\\n- http://www.securityfocus.com/bid/103108", - "created": "2021-11-18T16:00:48.643Z", - "reported_by": null, - "title": "Prototype Pollution in hoek", - "npm_advisory_id": null, - "overview": "Versions of \`hoek\` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\\n\\nThe \`merge\` function, and the \`applyToDefaults\` and \`applyToDefaultsWithShallow\` functions which leverage \`merge\` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the \`__proto__\` property.\\n\\nThis can be demonstrated like so:\\n\\n\`\`\`javascript\\nvar Hoek = require('hoek');\\nvar malicious_payload = '{\\"__proto__\\":{\\"oops\\":\\"It works !\\"}}';\\n\\nvar a = {};\\nconsole.log(\\"Before : \\" + a.oops);\\nHoek.merge({}, JSON.parse(malicious_payload));\\nconsole.log(\\"After : \\" + a.oops);\\n\`\`\`\\n\\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.2.1, 5.0.3 or later.", - "url": "https://github.com/advisories/GHSA-jp4x-w63m-7wgm" - }, - "1006724": { - "findings": [ - { - "version": "0.2.3", - "paths": [ - ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<0.4.0", - "module_name": "json-schema", - "severity": "moderate", - "github_advisory_id": "GHSA-896r-f27r-55mw", - "cves": [ - "CVE-2021-3918" - ], - "access": "public", - "patched_versions": ">=0.4.0", - "updated": "2021-11-15T22:44:28.000Z", - "recommendation": "Upgrade to version 0.4.0 or later", - "cwe": "CWE-915", - "found_by": null, - "deleted": null, - "id": 1006724, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\\n- https://github.com/advisories/GHSA-896r-f27r-55mw", - "created": "2021-11-19T21:00:41.916Z", - "reported_by": null, - "title": "json-schema is vulnerable to Prototype Pollution", - "npm_advisory_id": null, - "overview": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", - "url": "https://github.com/advisories/GHSA-896r-f27r-55mw" - }, - "1006788": { - "findings": [ - { - "version": "2.7.2", - "paths": [ - ".>karma>log4js>nodemailer" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.6.1", - "module_name": "nodemailer", - "severity": "moderate", - "github_advisory_id": "GHSA-hwqf-gcqm-7353", - "cves": [ - "CVE-2021-23400" - ], - "access": "public", - "patched_versions": ">=6.6.1", - "updated": "2021-06-30T17:38:02.000Z", - "recommendation": "Upgrade to version 6.6.1 or later", - "cwe": "CWE-74", - "found_by": null, - "deleted": null, - "id": 1006788, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23400\\n- https://github.com/nodemailer/nodemailer/issues/1289\\n- https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737\\n- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415\\n- https://github.com/advisories/GHSA-hwqf-gcqm-7353", - "created": "2021-12-10T19:00:45.984Z", - "reported_by": null, - "title": "Header injection in nodemailer", - "npm_advisory_id": null, - "overview": "The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.", - "url": "https://github.com/advisories/GHSA-hwqf-gcqm-7353" - }, - "1006822": { - "findings": [ - { - "version": "1.0.6", - "paths": [ - ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.1.0", - "module_name": "netmask", - "severity": "critical", - "github_advisory_id": "GHSA-4c7m-wxvm-r7gc", - "cves": [ - "CVE-2021-28918" - ], - "access": "public", - "patched_versions": ">=1.1.0", - "updated": "2021-04-13T16:13:23.000Z", - "recommendation": "Upgrade to version 1.1.0 or later", - "cwe": "CWE-20", - "found_by": null, - "deleted": null, - "id": 1006822, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-28918\\n- https://github.com/rs/node-netmask/blob/98294cb20695f2c6c36219a4fbcd4744fb8d0682/CHANGELOG.md#v110-mar-18-2021\\n- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md\\n- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/\\n- https://www.npmjs.com/package/netmask\\n- https://github.com/advisories/GHSA-pch5-whg9-qr2r\\n- https://security.netapp.com/advisory/ntap-20210528-0010/\\n- https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/\\n- https://github.com/advisories/GHSA-4c7m-wxvm-r7gc", - "created": "2022-01-04T20:00:43.966Z", - "reported_by": null, - "title": "Improper parsing of octal bytes in netmask", - "npm_advisory_id": null, - "overview": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.\\n\\n:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version \`2.0.1\` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.", - "url": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc" - }, - "1006865": { - "findings": [ - { - "version": "1.0.0", - "paths": [ - ".>axios>follow-redirects" - ] - }, - { - "version": "1.9.0", - "paths": [ - ".>karma>http-proxy>follow-redirects" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.14.7", - "module_name": "follow-redirects", + "id": 1089196, + "title": "Node-Redis potential exponential regex in monitor mode", + "module_name": "redis", + "vulnerable_versions": ">=2.6.0 <3.1.1", + "patched_versions": ">=3.1.1", "severity": "high", - "github_advisory_id": "GHSA-74fj-2j2h-c42q", - "cves": [ - "CVE-2022-0155" - ], - "access": "public", - "patched_versions": ">=1.14.7", - "updated": "2022-01-11T18:41:09.000Z", - "recommendation": "Upgrade to version 1.14.7 or later", - "cwe": "CWE-359", - "found_by": null, - "deleted": null, - "id": 1006865, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q", - "created": "2022-01-12T23:00:43.967Z", - "reported_by": null, - "title": "Exposure of sensitive information in follow-redirects", - "npm_advisory_id": null, - "overview": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor", - "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q" - }, - "1006902": { - "findings": [ - { - "version": "2.11.0", - "paths": [ - ".>karma>log4js" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.4.0", - "module_name": "log4js", - "severity": "moderate", - "github_advisory_id": "GHSA-82v2-mx6x-wq7q", - "cves": [ - "CVE-2022-21704" - ], - "access": "public", - "patched_versions": ">=6.4.0", - "updated": "2022-01-19T22:47:15.000Z", - "recommendation": "Upgrade to version 6.4.0 or later", - "cwe": "CWE-276", - "found_by": null, - "deleted": null, - "id": 1006902, - "references": "- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\\n- https://github.com/log4js-node/streamroller/pull/87\\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q", - "created": "2022-01-25T20:00:44.170Z", - "reported_by": null, - "title": "Incorrect Default Permissions in log4js", - "npm_advisory_id": null, - "overview": "### Impact\\r\\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\\r\\n\\r\\n### Patches\\r\\nFixed by:\\r\\n* https://github.com/log4js-node/log4js-node/pull/1141\\r\\n* https://github.com/log4js-node/streamroller/pull/87\\r\\n\\r\\nReleased to NPM in log4js@6.4.0\\r\\n\\r\\n### Workarounds\\r\\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\\r\\n\\r\\n### References\\r\\n\\r\\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @peteriman for fixing the problem.\\r\\n\\r\\n### For more information\\r\\nIf you have any questions or comments about this advisory:\\r\\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\\r\\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\\r\\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\\r\\n", - "url": "https://github.com/advisories/GHSA-82v2-mx6x-wq7q" - }, - "1006947": { - "findings": [ - { - "version": "3.1.0", - "paths": [ - ".>karma>chokidar>glob-parent" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<5.1.2", - "module_name": "glob-parent", - "severity": "high", - "github_advisory_id": "GHSA-ww39-953v-wcq6", - "cves": [ - "CVE-2020-28469" - ], - "access": "public", - "patched_versions": ">=5.1.2", - "updated": "2021-06-04T18:30:46.000Z", - "recommendation": "Upgrade to version 5.1.2 or later", "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006947, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\\n- https://github.com/gulpjs/glob-parent/pull/36\\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\\n- https://www.oracle.com/security-alerts/cpujan2022.html\\n- https://github.com/advisories/GHSA-ww39-953v-wcq6", - "created": "2022-02-08T22:00:42.497Z", - "reported_by": null, - "title": "Regular expression denial of service", - "npm_advisory_id": null, - "overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", - "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6" + "github_advisory_id": "GHSA-35q2-47q7-3pc3", + "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3" }, - "1006948": { - "findings": [ - { - "version": "4.17.15", - "paths": [ - ".>karma>lodash" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.17.21", - "module_name": "lodash", - "severity": "high", - "github_advisory_id": "GHSA-35jh-r3h4-6jhm", - "cves": [ - "CVE-2021-23337" - ], - "access": "public", - "patched_versions": ">=4.17.21", - "updated": "2021-03-31T23:59:26.000Z", - "recommendation": "Upgrade to version 4.17.21 or later", - "cwe": "CWE-77", - "found_by": null, - "deleted": null, - "id": 1006948, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\\n- https://security.netapp.com/advisory/ntap-20210312-0006/\\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\\n- https://www.oracle.com//security-alerts/cpujul2021.html\\n- https://www.oracle.com/security-alerts/cpuoct2021.html\\n- https://www.oracle.com/security-alerts/cpujan2022.html\\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "created": "2022-02-08T22:00:42.498Z", - "reported_by": null, - "title": "Command Injection in lodash", - "npm_advisory_id": null, - "overview": "\`lodash\` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - }, - "1006949": { - "findings": [ - { - "version": "4.17.15", - "paths": [ - ".>karma>lodash" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.17.21", - "module_name": "lodash", - "severity": "moderate", - "github_advisory_id": "GHSA-29mw-wpgm-hmr9", - "cves": [ - "CVE-2020-28500" - ], - "access": "public", - "patched_versions": ">=4.17.21", - "updated": "2021-03-19T22:45:29.000Z", - "recommendation": "Upgrade to version 4.17.21 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006949, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\\n- https://github.com/lodash/lodash/pull/5065\\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\\n- https://security.netapp.com/advisory/ntap-20210312-0006/\\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\\n- https://www.oracle.com//security-alerts/cpujul2021.html\\n- https://www.oracle.com/security-alerts/cpuoct2021.html\\n- https://www.oracle.com/security-alerts/cpujan2022.html\\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9", - "created": "2022-02-08T22:00:42.498Z", - "reported_by": null, - "title": "Regular Expression Denial of Service (ReDoS) in lodash", - "npm_advisory_id": null, - "overview": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \\"1\\" for (var i = 0; i < n; i++) { ret += \\" \\" } return ret + \\"1\\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\\"time_cost0: \\" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\\"time_cost1: \\" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\\"time_cost2: \\" + time_cost2)", - "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" - }, - "1006952": { - "findings": [ - { - "version": "4.17.15", - "paths": [ - ".>karma>lodash" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.17.19", - "module_name": "lodash", - "severity": "high", - "github_advisory_id": "GHSA-p6mc-m468-83gw", - "cves": [ - "CVE-2020-8203" - ], - "access": "public", - "patched_versions": ">=4.17.19", - "updated": "2020-07-15T19:15:01.000Z", - "recommendation": "Upgrade to version 4.17.19 or later", - "cwe": "CWE-770", - "found_by": null, - "deleted": null, - "id": 1006952, - "references": "- https://github.com/lodash/lodash/issues/4744\\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\\n- https://www.npmjs.com/advisories/1523\\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\\n- https://hackerone.com/reports/712065\\n- https://security.netapp.com/advisory/ntap-20200724-0006/\\n- https://github.com/lodash/lodash/issues/4874\\n- https://www.oracle.com/security-alerts/cpuApr2021.html\\n- https://www.oracle.com//security-alerts/cpujul2021.html\\n- https://www.oracle.com/security-alerts/cpuoct2021.html\\n- https://www.oracle.com/security-alerts/cpujan2022.html\\n- https://github.com/advisories/GHSA-p6mc-m468-83gw", - "created": "2022-02-08T23:00:41.860Z", - "reported_by": null, - "title": "Prototype Pollution in lodash", - "npm_advisory_id": null, - "overview": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\\n\\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.", - "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" - }, - "1006975": { + "1089526": { "findings": [ { "version": "3.1.5", "paths": [ ".>karma>socket.io>engine.io" - ] + ], + "dev": false, + "optional": false, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<4.0.0", + "id": 1089526, + "title": "Uncaught exception in engine.io", "module_name": "engine.io", - "severity": "high", - "github_advisory_id": "GHSA-j4f2-536g-r55m", - "cves": [ - "CVE-2020-36048" - ], - "access": "public", - "patched_versions": ">=4.0.0", - "updated": "2021-04-06T22:58:34.000Z", - "recommendation": "Upgrade to version 4.0.0 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006975, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-36048\\n- https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b\\n- https://blog.caller.xyz/socketio-engineio-dos/\\n- https://github.com/bcaller/kill-engine-io\\n- https://github.com/advisories/GHSA-j4f2-536g-r55m", - "created": "2022-02-09T23:00:44.110Z", - "reported_by": null, - "title": "Resource exhaustion in engine.io ", - "npm_advisory_id": null, - "overview": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.", - "url": "https://github.com/advisories/GHSA-j4f2-536g-r55m" + "vulnerable_versions": "<3.6.1", + "patched_versions": ">=3.6.1", + "severity": "moderate", + "cwe": "CWE-248", + "github_advisory_id": "GHSA-r7qp-cfhv-p84w", + "url": "https://github.com/advisories/GHSA-r7qp-cfhv-p84w" }, - "1006997": { + "1089709": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1089709, + "title": "Header injection in nodemailer", + "module_name": "nodemailer", + "vulnerable_versions": "<6.6.1", + "patched_versions": ">=6.6.1", + "severity": "moderate", + "cwe": "CWE-74", + "github_advisory_id": "GHSA-hwqf-gcqm-7353", + "url": "https://github.com/advisories/GHSA-hwqf-gcqm-7353" + }, + "1089711": { + "findings": [ + { + "version": "3.1.3", + "paths": [ + ".>karma>socket.io>socket.io-client>socket.io-parser", + ".>karma>socket.io>socket.io-parser" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1089711, + "title": "Resource exhaustion in socket.io-parser", + "module_name": "socket.io-parser", + "vulnerable_versions": "<3.3.2", + "patched_versions": ">=3.3.2", + "severity": "high", + "cwe": "CWE-400", + "github_advisory_id": "GHSA-xfhh-g9f5-x4m4", + "url": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4" + }, + "1089880": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1089880, + "title": "Command injection in nodemailer", + "module_name": "nodemailer", + "vulnerable_versions": "<6.4.16", + "patched_versions": ">=6.4.16", + "severity": "critical", + "cwe": "CWE-88", + "github_advisory_id": "GHSA-48ww-j4fc-435p", + "url": "https://github.com/advisories/GHSA-48ww-j4fc-435p" + }, + "1089900": { + "findings": [ + { + "version": "1.0.6", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1089900, + "title": "Improper parsing of octal bytes in netmask", + "module_name": "netmask", + "vulnerable_versions": "<1.1.0", + "patched_versions": ">=1.1.0", + "severity": "critical", + "cwe": "CWE-20", + "github_advisory_id": "GHSA-4c7m-wxvm-r7gc", + "url": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc" + }, + "1090072": { + "findings": [ + { + "version": "1.1.2", + "paths": [ + ".>karma>log4js>loggly>request>bl" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1090072, + "title": "Remote Memory Exposure in bl", + "module_name": "bl", + "vulnerable_versions": "<1.2.3", + "patched_versions": ">=1.2.3", + "severity": "moderate", + "cwe": "CWE-125, CWE-126", + "github_advisory_id": "GHSA-pp7h-53gx-mx7r", + "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r" + }, + "1090384": { + "findings": [ + { + "version": "3.0.0", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1090384, + "title": "Code Injection in pac-resolver", + "module_name": "pac-resolver", + "vulnerable_versions": "<5.0.0", + "patched_versions": ">=5.0.0", + "severity": "high", + "cwe": "CWE-94", + "github_advisory_id": "GHSA-9j49-mfvp-vmhm", + "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" + }, + "1090403": { + "findings": [ + { + "version": "1.0.4", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>degenerator" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1090403, + "title": "Code Injection in pac-resolver", + "module_name": "degenerator", + "vulnerable_versions": "<3.0.1", + "patched_versions": ">=3.0.1", + "severity": "high", + "cwe": "CWE-94", + "github_advisory_id": "GHSA-9j49-mfvp-vmhm", + "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" + }, + "1090418": { "findings": [ { "version": "2.0.5", "paths": [ ".>karma" - ] + ], + "dev": false, + "optional": false, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<6.3.14", + "id": 1090418, + "title": "Open redirect in karma", "module_name": "karma", + "vulnerable_versions": "<6.3.16", + "patched_versions": ">=6.3.16", "severity": "moderate", - "github_advisory_id": "GHSA-7x7c-qm48-pq9c", - "cves": [ - "CVE-2022-0437" + "cwe": "CWE-601", + "github_advisory_id": "GHSA-rc3x-jf5g-xvc5", + "url": "https://github.com/advisories/GHSA-rc3x-jf5g-xvc5" + }, + "1090420": { + "findings": [ + { + "version": "1.13.0", + "paths": [ + ".>karma>log4js>slack-node>requestretry" + ], + "dev": false, + "optional": true, + "bundled": false + } ], - "access": "public", - "patched_versions": ">=6.3.14", - "updated": "2022-02-07T21:57:21.000Z", - "recommendation": "Upgrade to version 6.3.14 or later", - "cwe": "CWE-79", - "found_by": null, - "deleted": null, - "id": 1006997, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0437\\n- https://github.com/karma-runner/karma/commit/839578c45a8ac42fbc1d72105f97eab77dd3eb8a\\n- https://huntr.dev/bounties/64b67ea1-5487-4382-a5f6-e8a95f798885\\n- https://github.com/karma-runner/karma/releases/tag/v6.3.14\\n- https://github.com/advisories/GHSA-7x7c-qm48-pq9c", - "created": "2022-02-11T00:00:43.705Z", - "reported_by": null, + "id": 1090420, + "title": "Cookie exposure in requestretry", + "module_name": "requestretry", + "vulnerable_versions": "<7.0.0", + "patched_versions": ">=7.0.0", + "severity": "high", + "cwe": "CWE-200", + "github_advisory_id": "GHSA-hjp8-2cm3-cc45", + "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45" + }, + "1090439": { + "findings": [ + { + "version": "2.0.5", + "paths": [ + ".>karma" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1090439, "title": "Cross-site Scripting in karma", - "npm_advisory_id": null, - "overview": "karma prior to version 6.3.14 contains a cross-site scripting vulnerability.", + "module_name": "karma", + "vulnerable_versions": "<6.3.14", + "patched_versions": ">=6.3.14", + "severity": "moderate", + "cwe": "CWE-79", + "github_advisory_id": "GHSA-7x7c-qm48-pq9c", "url": "https://github.com/advisories/GHSA-7x7c-qm48-pq9c" }, - "1007017": { + "1091853": { "findings": [ { - "version": "6.10.2", + "version": "1.2.9", "paths": [ - ".>karma>log4js>hipchat-notifier>request>har-validator>ajv" - ] + ".>karma>chokidar>fsevents" + ], + "dev": false, + "optional": true, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<6.12.3", - "module_name": "ajv", - "severity": "moderate", - "github_advisory_id": "GHSA-v88g-cgmw-v5xw", - "cves": [ - "CVE-2020-15366" - ], - "access": "public", - "patched_versions": ">=6.12.3", - "updated": "2021-05-10T21:23:42.000Z", - "recommendation": "Upgrade to version 6.12.3 or later", - "cwe": "CWE-915", - "found_by": null, - "deleted": null, - "id": 1007017, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\\n- https://hackerone.com/bugs?subject=user&report_id=894259\\n- https://github.com/ajv-validator/ajv/tags\\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw", - "created": "2022-02-11T00:00:43.707Z", - "reported_by": null, - "title": "Prototype Pollution in Ajv", - "npm_advisory_id": null, - "overview": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", - "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw" + "id": 1091853, + "title": "Malware in fsevents", + "module_name": "fsevents", + "vulnerable_versions": ">=1.0.0 <1.2.11", + "patched_versions": ">=1.2.11", + "severity": "critical", + "cwe": "CWE-506", + "github_advisory_id": "GHSA-xv2f-5jw4-v95m", + "url": "https://github.com/advisories/GHSA-xv2f-5jw4-v95m" }, - "1007026": { + "1092623": { "findings": [ - { - "version": "1.0.0", - "paths": [ - ".>axios>follow-redirects" - ] - }, { "version": "1.9.0", "paths": [ ".>karma>http-proxy>follow-redirects" - ] + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "1.0.0", + "paths": [ + ".>karma>log4js>axios>follow-redirects", + ".>axios>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<1.14.8", - "module_name": "follow-redirects", - "severity": "moderate", - "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", - "cves": [ - "CVE-2022-0536" - ], - "access": "public", - "patched_versions": ">=1.14.8", - "updated": "2022-02-11T21:18:03.000Z", - "recommendation": "Upgrade to version 1.14.8 or later", - "cwe": "CWE-200", - "found_by": null, - "deleted": null, - "id": 1007026, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", - "created": "2022-02-14T23:00:43.878Z", - "reported_by": null, + "id": 1092623, "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", - "npm_advisory_id": null, - "overview": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.", + "module_name": "follow-redirects", + "vulnerable_versions": "<1.14.8", + "patched_versions": ">=1.14.8", + "severity": "moderate", + "cwe": "CWE-200, CWE-212", + "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c" }, - "1007030": { + "1093475": { + "findings": [ + { + "version": "0.6.2", + "paths": [ + ".>sync-exec" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1093475, + "title": "Tmp files readable by other users in sync-exec", + "module_name": "sync-exec", + "vulnerable_versions": "<=0.6.2", + "patched_versions": ">=0.6.3", + "severity": "moderate", + "cwe": "CWE-377", + "github_advisory_id": "GHSA-38h8-x697-gh8q", + "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q" + }, + "1093560": { + "findings": [ + { + "version": "1.0.6", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1093560, + "title": "netmask npm package mishandles octal input data", + "module_name": "netmask", + "vulnerable_versions": "<2.0.1", + "patched_versions": ">=2.0.1", + "severity": "moderate", + "cwe": "CWE-20", + "github_advisory_id": "GHSA-pch5-whg9-qr2r", + "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r" + }, + "1093718": { + "findings": [ + { + "version": "2.0.4", + "paths": [ + ".>karma>socket.io" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1093718, + "title": "CORS misconfiguration in socket.io", + "module_name": "socket.io", + "vulnerable_versions": "<2.4.0", + "patched_versions": ">=2.4.0", + "severity": "moderate", + "cwe": "CWE-346, CWE-453", + "github_advisory_id": "GHSA-fxwf-4rqh-v8g3", + "url": "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3" + }, + "1093858": { + "findings": [ + { + "version": "2.3.0", + "paths": [ + ".>karma>log4js>loggly>timespan" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1093858, + "title": "Regular Expression Denial of Service in timespan", + "module_name": "timespan", + "vulnerable_versions": "<=2.3.0", + "patched_versions": ">=2.3.1", + "severity": "high", + "cwe": "CWE-400", + "github_advisory_id": "GHSA-f523-2f5j-gfcg", + "url": "https://github.com/advisories/GHSA-f523-2f5j-gfcg" + }, + "1094087": { + "findings": [ + { + "version": "0.2.0", + "paths": [ + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>anymatch>micromatch>extglob>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>anymatch>micromatch>nanomatch>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>anymatch>micromatch>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>braces>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>readdirp>micromatch>extglob>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>readdirp>micromatch>nanomatch>snapdragon>source-map-resolve>decode-uri-component", + ".>karma>chokidar>readdirp>micromatch>snapdragon>source-map-resolve>decode-uri-component" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1094087, + "title": "decode-uri-component vulnerable to Denial of Service (DoS)", + "module_name": "decode-uri-component", + "vulnerable_versions": "<0.2.1", + "patched_versions": ">=0.2.1", + "severity": "high", + "cwe": "CWE-20", + "github_advisory_id": "GHSA-w573-4hg7-7wgq", + "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq" + }, + "1094997": { + "findings": [ + { + "version": "1.2.9", + "paths": [ + ".>karma>chokidar>fsevents" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1094997, + "title": "Code injection in fsevents", + "module_name": "fsevents", + "vulnerable_versions": "<=1.2.10", + "patched_versions": ">=1.2.11", + "severity": "critical", + "cwe": "CWE-94", + "github_advisory_id": "GHSA-8r6j-v8pm-fqw3", + "url": "https://github.com/advisories/GHSA-8r6j-v8pm-fqw3" + }, + "1095056": { + "findings": [ + { + "version": "6.0.2", + "paths": [ + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon-node>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon-node>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>snapdragon-node>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>braces>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>expand-brackets>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>extglob>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>nanomatch>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>anymatch>micromatch>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>braces>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>braces>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>braces>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>braces>snapdragon-node>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>braces>snapdragon-node>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>braces>snapdragon-node>define-property>is-descriptor>kind-of", + ".>karma>chokidar>braces>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>braces>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>braces>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon-node>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon-node>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>snapdragon-node>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>braces>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>expand-brackets>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>extglob>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>nanomatch>to-regex>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>snapdragon>base>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>snapdragon>base>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>snapdragon>base>define-property>is-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>to-regex>define-property>is-descriptor>is-accessor-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>to-regex>define-property>is-descriptor>is-data-descriptor>kind-of", + ".>karma>chokidar>readdirp>micromatch>to-regex>define-property>is-descriptor>kind-of" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1095056, + "title": "Validation Bypass in kind-of", + "module_name": "kind-of", + "vulnerable_versions": ">=6.0.0 <6.0.3", + "patched_versions": ">=6.0.3", + "severity": "high", + "cwe": "CWE-668", + "github_advisory_id": "GHSA-6c8f-qphg-qjgp", + "url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp" + }, + "1095062": { + "findings": [ + { + "version": "3.1.3", + "paths": [ + ".>karma>log4js>loggly>request>hawk" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1095062, + "title": "Uncontrolled Resource Consumption in Hawk", + "module_name": "hawk", + "vulnerable_versions": "<9.0.1", + "patched_versions": ">=9.0.1", + "severity": "high", + "cwe": "CWE-400, CWE-1333", + "github_advisory_id": "GHSA-44pw-h2cw-w3vq", + "url": "https://github.com/advisories/GHSA-44pw-h2cw-w3vq" + }, + "1095088": { + "findings": [ + { + "version": "1.5.5", + "paths": [ + ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1095088, + "title": "xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection", + "module_name": "xmlhttprequest-ssl", + "vulnerable_versions": "<1.6.2", + "patched_versions": ">=1.6.2", + "severity": "critical", + "cwe": "CWE-94", + "github_advisory_id": "GHSA-h4j5-c7cj-74xg", + "url": "https://github.com/advisories/GHSA-h4j5-c7cj-74xg" + }, + "1095090": { + "findings": [ + { + "version": "1.5.5", + "paths": [ + ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1095090, + "title": "Improper Certificate Validation in xmlhttprequest-ssl", + "module_name": "xmlhttprequest-ssl", + "vulnerable_versions": "<1.6.1", + "patched_versions": ">=1.6.1", + "severity": "critical", + "cwe": "CWE-295", + "github_advisory_id": "GHSA-72mh-269x-7mh5", + "url": "https://github.com/advisories/GHSA-72mh-269x-7mh5" + }, + "1095095": { "findings": [ { "version": "1.4.7", "paths": [ ".>karma>log4js>amqplib>url-parse" - ] + ], + "dev": false, + "optional": true, + "bundled": false } ], - "metadata": null, - "vulnerable_versions": "<1.5.6", + "id": 1095095, + "title": "Authorization Bypass Through User-Controlled Key in url-parse", "module_name": "url-parse", - "severity": "high", - "github_advisory_id": "GHSA-rqff-837h-mm52", - "cves": [ - "CVE-2022-0512" - ], - "access": "public", - "patched_versions": ">=1.5.6", - "updated": "2022-02-16T22:37:40.000Z", - "recommendation": "Upgrade to version 1.5.6 or later", + "vulnerable_versions": "<1.5.8", + "patched_versions": ">=1.5.8", + "severity": "critical", "cwe": "CWE-639", - "found_by": null, - "deleted": null, - "id": 1007030, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0512\\n- https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40\\n- https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b\\n- https://github.com/advisories/GHSA-rqff-837h-mm52", - "created": "2022-02-17T14:00:45.711Z", - "reported_by": null, + "github_advisory_id": "GHSA-hgjh-723h-mx2j", + "url": "https://github.com/advisories/GHSA-hgjh-723h-mx2j" + }, + "1095117": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1095117, + "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "module_name": "tar", + "vulnerable_versions": "<4.4.18", + "patched_versions": ">=4.4.18", + "severity": "high", + "cwe": "CWE-22", + "github_advisory_id": "GHSA-5955-9wpr-37jh", + "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh" + }, + "1095531": { + "findings": [ + { + "version": "2.11.0", + "paths": [ + ".>karma>log4js" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1095531, + "title": "Incorrect Default Permissions in log4js", + "module_name": "log4js", + "vulnerable_versions": "<6.4.0", + "patched_versions": ">=6.4.0", + "severity": "moderate", + "cwe": "CWE-276", + "github_advisory_id": "GHSA-82v2-mx6x-wq7q", + "url": "https://github.com/advisories/GHSA-82v2-mx6x-wq7q" + }, + "1096334": { + "findings": [ + { + "version": "1.18.0", + "paths": [ + ".>karma>http-proxy" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1096334, + "title": "Denial of Service in http-proxy", + "module_name": "http-proxy", + "vulnerable_versions": "<1.18.1", + "patched_versions": ">=1.18.1", + "severity": "high", + "cwe": "CWE-184, CWE-693", + "github_advisory_id": "GHSA-6x33-pw7p-hmpq", + "url": "https://github.com/advisories/GHSA-6x33-pw7p-hmpq" + }, + "1096376": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1096376, + "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", + "module_name": "tar", + "vulnerable_versions": ">=3.0.0 <4.4.16", + "patched_versions": ">=4.4.16", + "severity": "high", + "cwe": "CWE-22, CWE-59", + "github_advisory_id": "GHSA-9r2w-394v-53qc", + "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc" + }, + "1096411": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1096411, + "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", + "module_name": "tar", + "vulnerable_versions": ">=3.0.0 <4.4.18", + "patched_versions": ">=4.4.18", + "severity": "high", + "cwe": "CWE-22, CWE-59", + "github_advisory_id": "GHSA-qq89-hq3f-393p", + "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p" + }, + "1096485": { + "findings": [ + { + "version": "3.0.4", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>npm-packlist>ignore-walk>minimatch", + ".>karma>chokidar>fsevents>node-pre-gyp>rimraf>glob>minimatch", + ".>karma>glob>minimatch", + ".>karma>minimatch", + ".>karma>rimraf>glob>minimatch" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1096485, + "title": "minimatch ReDoS vulnerability", + "module_name": "minimatch", + "vulnerable_versions": "<3.0.5", + "patched_versions": ">=3.0.5", + "severity": "high", + "cwe": "CWE-400, CWE-1333", + "github_advisory_id": "GHSA-f8q6-p94x-37v3", + "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3" + }, + "1096727": { + "findings": [ + { + "version": "2.88.0", + "paths": [ + ".>karma>log4js>hipchat-notifier>request", + ".>karma>log4js>slack-node>requestretry>request", + ".>karma>useragent>request" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "2.75.0", + "paths": [ + ".>karma>log4js>loggly>request" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1096727, + "title": "Server-Side Request Forgery in Request", + "module_name": "request", + "vulnerable_versions": "<=2.88.2", + "patched_versions": ">=2.88.3", + "severity": "moderate", + "cwe": "CWE-918", + "github_advisory_id": "GHSA-p8p7-x288-28g6", + "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6" + }, + "1096856": { + "findings": [ + { + "version": "1.9.0", + "paths": [ + ".>karma>http-proxy>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "1.0.0", + "paths": [ + ".>karma>log4js>axios>follow-redirects", + ".>axios>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1096856, + "title": "follow-redirects' Proxy-Authorization header kept across hosts", + "module_name": "follow-redirects", + "vulnerable_versions": "<=1.15.5", + "patched_versions": ">=1.15.6", + "severity": "moderate", + "cwe": "CWE-200", + "github_advisory_id": "GHSA-cxjh-pqwp-8mfp", + "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp" + }, + "1097134": { + "findings": [ + { + "version": "3.1.3", + "paths": [ + ".>karma>socket.io>socket.io-client>socket.io-parser", + ".>karma>socket.io>socket.io-parser" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1097134, + "title": "Insufficient validation when decoding a Socket.IO packet", + "module_name": "socket.io-parser", + "vulnerable_versions": "<3.3.3", + "patched_versions": ">=3.3.3", + "severity": "critical", + "cwe": "CWE-20, CWE-89, CWE-1287", + "github_advisory_id": "GHSA-qm95-pgcg-qqfq", + "url": "https://github.com/advisories/GHSA-qm95-pgcg-qqfq" + }, + "1097493": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1097493, + "title": "Denial of service while parsing a tar file due to lack of folders count validation", + "module_name": "tar", + "vulnerable_versions": "<6.2.1", + "patched_versions": ">=6.2.1", + "severity": "moderate", + "cwe": "CWE-400", + "github_advisory_id": "GHSA-f5x3-32g6-xq36", + "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36" + }, + "1097677": { + "findings": [ + { + "version": "0.0.8", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist", + ".>karma>chokidar>fsevents>node-pre-gyp>tar>mkdirp>minimist", + ".>karma>log4js>streamroller>mkdirp>minimist" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "0.0.10", + "paths": [ + ".>karma>optimist>minimist" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1097677, + "title": "Prototype Pollution in minimist", + "module_name": "minimist", + "vulnerable_versions": "<0.2.4", + "patched_versions": ">=0.2.4", + "severity": "critical", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-xvch-5gv4-984h", + "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" + }, + "1097678": { + "findings": [ + { + "version": "1.2.5", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>rc>minimist" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1097678, + "title": "Prototype Pollution in minimist", + "module_name": "minimist", + "vulnerable_versions": ">=1.0.0 <1.2.6", + "patched_versions": ">=1.2.6", + "severity": "critical", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-xvch-5gv4-984h", + "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" + }, + "1097679": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>karma>log4js>axios", + ".>axios" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1097679, + "title": "Axios Cross-Site Request Forgery Vulnerability", + "module_name": "axios", + "vulnerable_versions": ">=0.8.1 <0.28.0", + "patched_versions": ">=0.28.0", + "severity": "moderate", + "cwe": "CWE-352", + "github_advisory_id": "GHSA-wf5p-g6vw-rhxx", + "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx" + }, + "1097682": { + "findings": [ + { + "version": "2.4.3", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>tough-cookie", + ".>karma>log4js>slack-node>requestretry>request>tough-cookie", + ".>karma>useragent>request>tough-cookie" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "2.3.4", + "paths": [ + ".>karma>log4js>loggly>request>tough-cookie" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1097682, + "title": "tough-cookie Prototype Pollution vulnerability", + "module_name": "tough-cookie", + "vulnerable_versions": "<4.1.3", + "patched_versions": ">=4.1.3", + "severity": "moderate", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-72xf-g2v4-qvf3", + "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3" + }, + "1097685": { + "findings": [ + { + "version": "6.10.2", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>har-validator>ajv", + ".>karma>log4js>slack-node>requestretry>request>har-validator>ajv", + ".>karma>useragent>request>har-validator>ajv" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1097685, + "title": "Prototype Pollution in Ajv", + "module_name": "ajv", + "vulnerable_versions": "<6.12.3", + "patched_versions": ">=6.12.3", + "severity": "moderate", + "cwe": "CWE-915, CWE-1321", + "github_advisory_id": "GHSA-v88g-cgmw-v5xw", + "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw" + }, + "1097691": { + "findings": [ + { + "version": "2.6.3", + "paths": [ + ".>karma>log4js>mailgun-js>async" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1097691, + "title": "Prototype Pollution in async", + "module_name": "async", + "vulnerable_versions": ">=2.0.0 <2.6.4", + "patched_versions": ">=2.6.4", + "severity": "high", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-fwr7-v2mv-hh25", + "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25" + }, + "1098094": { + "findings": [ + { + "version": "2.3.2", + "paths": [ + ".>karma>chokidar>anymatch>micromatch>braces", + ".>karma>chokidar>braces", + ".>karma>chokidar>readdirp>micromatch>braces" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "0.1.5", + "paths": [ + ".>karma>expand-braces>braces" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1098094, + "title": "Uncontrolled resource consumption in braces", + "module_name": "braces", + "vulnerable_versions": "<3.0.3", + "patched_versions": ">=3.0.3", + "severity": "high", + "cwe": "CWE-400, CWE-1050", + "github_advisory_id": "GHSA-grv7-fg5c-xmjg", + "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg" + }, + "1098395": { + "findings": [ + { + "version": "3.3.3", + "paths": [ + ".>karma>socket.io>engine.io>ws", + ".>karma>socket.io>socket.io-client>engine.io-client>ws" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1098395, + "title": "ws affected by a DoS when handling a request with many HTTP headers", + "module_name": "ws", + "vulnerable_versions": ">=2.1.0 <5.2.4", + "patched_versions": ">=5.2.4", + "severity": "high", + "cwe": "CWE-476", + "github_advisory_id": "GHSA-3h5v-q93c-6h6q", + "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q" + }, + "1098681": { + "findings": [ + { + "version": "3.1.10", + "paths": [ + ".>karma>chokidar>anymatch>micromatch", + ".>karma>chokidar>readdirp>micromatch" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1098681, + "title": "Regular Expression Denial of Service (ReDoS) in micromatch", + "module_name": "micromatch", + "vulnerable_versions": "<4.0.8", + "patched_versions": ">=4.0.8", + "severity": "moderate", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-952p-6rrq-rcjv", + "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv" + }, + "1099520": { + "findings": [ + { + "version": "1.19.0", + "paths": [ + ".>karma>body-parser" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1099520, + "title": "body-parser vulnerable to denial of service when url encoding is enabled", + "module_name": "body-parser", + "vulnerable_versions": "<1.20.3", + "patched_versions": ">=1.20.3", + "severity": "high", + "cwe": "CWE-405", + "github_advisory_id": "GHSA-qwcr-r2fm-qrc7", + "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7" + }, + "1100540": { + "findings": [ + { + "version": "3.1.3", + "paths": [ + ".>karma>socket.io>socket.io-client>socket.io-parser", + ".>karma>socket.io>socket.io-parser" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1100540, + "title": "Insufficient validation when decoding a Socket.IO packet", + "module_name": "socket.io-parser", + "vulnerable_versions": "<3.3.4", + "patched_versions": ">=3.3.4", + "severity": "moderate", + "cwe": "CWE-20, CWE-754", + "github_advisory_id": "GHSA-cqmj-92xf-r6r9", + "url": "https://github.com/advisories/GHSA-cqmj-92xf-r6r9" + }, + "1100551": { + "findings": [ + { + "version": "2.0.4", + "paths": [ + ".>karma>socket.io" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1100551, + "title": "socket.io has an unhandled 'error' event", + "module_name": "socket.io", + "vulnerable_versions": "<2.5.0", + "patched_versions": ">=2.5.0", + "severity": "moderate", + "cwe": "CWE-20, CWE-754", + "github_advisory_id": "GHSA-25hc-qcg6-38wj", + "url": "https://github.com/advisories/GHSA-25hc-qcg6-38wj" + }, + "1101851": { + "findings": [ + { + "version": "1.1.5", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>ip", + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>socks-proxy-agent>socks>ip", + ".>karma>log4js>mailgun-js>proxy-agent>socks-proxy-agent>socks>ip", + ".>karma>log4js>nodemailer>socks>ip" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1101851, + "title": "ip SSRF improper categorization in isPublic", + "module_name": "ip", + "vulnerable_versions": "<=2.0.1", + "patched_versions": ">=2.0.2", + "severity": "high", + "cwe": "CWE-918", + "github_advisory_id": "GHSA-2p57-rm9w-gvfp", + "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp" + }, + "1101855": { + "findings": [ + { + "version": "0.2.3", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema", + ".>karma>log4js>loggly>request>http-signature>jsprim>json-schema", + ".>karma>log4js>slack-node>requestretry>request>http-signature>jsprim>json-schema", + ".>karma>useragent>request>http-signature>jsprim>json-schema" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1101855, + "title": "json-schema is vulnerable to Prototype Pollution", + "module_name": "json-schema", + "vulnerable_versions": "<0.4.0", + "patched_versions": ">=0.4.0", + "severity": "critical", + "cwe": "CWE-915, CWE-1321", + "github_advisory_id": "GHSA-896r-f27r-55mw", + "url": "https://github.com/advisories/GHSA-896r-f27r-55mw" + }, + "1102323": { + "findings": [ + { + "version": "1.9.0", + "paths": [ + ".>karma>http-proxy>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "1.0.0", + "paths": [ + ".>karma>log4js>axios>follow-redirects", + ".>axios>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1102323, + "title": "Exposure of sensitive information in follow-redirects", + "module_name": "follow-redirects", + "vulnerable_versions": "<1.14.7", + "patched_versions": ">=1.14.7", + "severity": "high", + "cwe": "CWE-359", + "github_advisory_id": "GHSA-74fj-2j2h-c42q", + "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q" + }, + "1102444": { + "findings": [ + { + "version": "1.2.3", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>degenerator>escodegen>optionator>word-wrap" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1102444, + "title": "word-wrap vulnerable to Regular Expression Denial of Service", + "module_name": "word-wrap", + "vulnerable_versions": "<1.2.4", + "patched_versions": ">=1.2.4", + "severity": "moderate", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-j8xg-fqg3-53r7", + "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7" + }, + "1102906": { + "findings": [ + { + "version": "4.0.1", + "paths": [ + ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1102906, + "title": "Prototype Pollution in node-jsonpointer", + "module_name": "jsonpointer", + "vulnerable_versions": "<5.0.0", + "patched_versions": ">=5.0.0", + "severity": "moderate", + "cwe": "CWE-843, CWE-1321", + "github_advisory_id": "GHSA-282f-qqgm-c34q", + "url": "https://github.com/advisories/GHSA-282f-qqgm-c34q" + }, + "1104115": { + "findings": [ + { + "version": "6.2.3", + "paths": [ + ".>karma>log4js>loggly>request>qs" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1104115, + "title": "qs vulnerable to Prototype Pollution", + "module_name": "qs", + "vulnerable_versions": "<6.2.4", + "patched_versions": ">=6.2.4", + "severity": "high", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-hrpp-h998-j3pp", + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" + }, + "1104118": { + "findings": [ + { + "version": "6.5.2", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>qs", + ".>karma>log4js>slack-node>requestretry>request>qs", + ".>karma>useragent>request>qs" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1104118, + "title": "qs vulnerable to Prototype Pollution", + "module_name": "qs", + "vulnerable_versions": ">=6.5.0 <6.5.3", + "patched_versions": ">=6.5.3", + "severity": "high", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-hrpp-h998-j3pp", + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" + }, + "1104120": { + "findings": [ + { + "version": "6.7.0", + "paths": [ + ".>karma>body-parser>qs" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1104120, + "title": "qs vulnerable to Prototype Pollution", + "module_name": "qs", + "vulnerable_versions": ">=6.7.0 <6.7.3", + "patched_versions": ">=6.7.3", + "severity": "high", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-hrpp-h998-j3pp", + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" + }, + "1105092": { + "findings": [ + { + "version": "2.16.3", + "paths": [ + ".>karma>log4js>loggly>request>hawk>boom>hoek", + ".>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek", + ".>karma>log4js>loggly>request>hawk>hoek", + ".>karma>log4js>loggly>request>hawk>sntp>hoek" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1105092, + "title": "hoek subject to prototype pollution via the clone function.", + "module_name": "hoek", + "vulnerable_versions": "<=6.1.3", + "patched_versions": ">=6.1.4", + "severity": "high", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-c429-5p7v-vgjp", + "url": "https://github.com/advisories/GHSA-c429-5p7v-vgjp" + }, + "1105121": { + "findings": [ + { + "version": "2.16.3", + "paths": [ + ".>karma>log4js>loggly>request>hawk>boom>hoek", + ".>karma>log4js>loggly>request>hawk>cryptiles>boom>hoek", + ".>karma>log4js>loggly>request>hawk>hoek", + ".>karma>log4js>loggly>request>hawk>sntp>hoek" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1105121, + "title": "Prototype Pollution in hoek", + "module_name": "hoek", + "vulnerable_versions": "<4.2.1", + "patched_versions": ">=4.2.1", + "severity": "high", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-jp4x-w63m-7wgm", + "url": "https://github.com/advisories/GHSA-jp4x-w63m-7wgm" + }, + "1105123": { + "findings": [ + { + "version": "3.1.5", + "paths": [ + ".>karma>socket.io>engine.io" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1105123, + "title": "Resource exhaustion in engine.io", + "module_name": "engine.io", + "vulnerable_versions": "<3.6.0", + "patched_versions": ">=3.6.0", + "severity": "high", + "cwe": "CWE-400", + "github_advisory_id": "GHSA-j4f2-536g-r55m", + "url": "https://github.com/advisories/GHSA-j4f2-536g-r55m" + }, + "1106913": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>combine-lists>lodash", + ".>karma>lodash", + ".>karma>log4js>hipchat-notifier>lodash", + ".>karma>log4js>mailgun-js>async>lodash", + ".>karma>log4js>slack-node>requestretry>lodash" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1106913, + "title": "Command Injection in lodash", + "module_name": "lodash", + "vulnerable_versions": "<4.17.21", + "patched_versions": ">=4.17.21", + "severity": "high", + "cwe": "CWE-77, CWE-94", + "github_advisory_id": "GHSA-35jh-r3h4-6jhm", + "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" + }, + "1106920": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>combine-lists>lodash", + ".>karma>lodash", + ".>karma>log4js>hipchat-notifier>lodash", + ".>karma>log4js>mailgun-js>async>lodash", + ".>karma>log4js>slack-node>requestretry>lodash" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1106920, + "title": "Prototype Pollution in lodash", + "module_name": "lodash", + "vulnerable_versions": ">=3.7.0 <4.17.19", + "patched_versions": ">=4.17.19", + "severity": "high", + "cwe": "CWE-770, CWE-1321", + "github_advisory_id": "GHSA-p6mc-m468-83gw", + "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" + }, + "1107224": { + "findings": [ + { + "version": "0.0.5", + "paths": [ + ".>karma>socket.io>socket.io-client>engine.io-client>parseuri", + ".>karma>socket.io>socket.io-client>parseuri" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1107224, + "title": "parse-uri Regular expression Denial of Service (ReDoS)", + "module_name": "parseuri", + "vulnerable_versions": "<2.0.0", + "patched_versions": ">=2.0.0", + "severity": "moderate", + "cwe": "CWE-185, CWE-1333", + "github_advisory_id": "GHSA-6fx8-h7jm-663j", + "url": "https://github.com/advisories/GHSA-6fx8-h7jm-663j" + }, + "1107230": { + "findings": [ + { + "version": "2.2.1", + "paths": [ + ".>karma>useragent" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1107230, + "title": "useragent Regular Expression Denial of Service vulnerability", + "module_name": "useragent", + "vulnerable_versions": "<=2.3.0", + "patched_versions": ">=2.3.1", + "severity": "moderate", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-mgfv-m47x-4wqp", + "url": "https://github.com/advisories/GHSA-mgfv-m47x-4wqp" + }, + "1107232": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1107232, + "title": "nodemailer ReDoS when trying to send a specially crafted email", + "module_name": "nodemailer", + "vulnerable_versions": "<=6.9.8", + "patched_versions": ">=6.9.9", + "severity": "moderate", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-9h6g-pr28-7cqp", + "url": "https://github.com/advisories/GHSA-9h6g-pr28-7cqp" + }, + "1108258": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>combine-lists>lodash", + ".>karma>lodash", + ".>karma>log4js>hipchat-notifier>lodash", + ".>karma>log4js>mailgun-js>async>lodash", + ".>karma>log4js>slack-node>requestretry>lodash" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1108258, + "title": "Regular Expression Denial of Service (ReDoS) in lodash", + "module_name": "lodash", + "vulnerable_versions": ">=4.0.0 <4.17.21", + "patched_versions": ">=4.17.21", + "severity": "moderate", + "cwe": "CWE-400, CWE-1333", + "github_advisory_id": "GHSA-29mw-wpgm-hmr9", + "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" + }, + "1109540": { + "findings": [ + { + "version": "2.3.3", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>form-data", + ".>karma>log4js>mailgun-js>form-data", + ".>karma>log4js>slack-node>requestretry>request>form-data", + ".>karma>useragent>request>form-data" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "2.0.0", + "paths": [ + ".>karma>log4js>loggly>request>form-data" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1109540, + "title": "form-data uses unsafe random function in form-data for choosing boundary", + "module_name": "form-data", + "vulnerable_versions": "<2.5.4", + "patched_versions": ">=2.5.4", + "severity": "critical", + "cwe": "CWE-330", + "github_advisory_id": "GHSA-fjxv-7rqg-78g4", + "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4" + }, + "1109569": { + "findings": [ + { + "version": "1.9.0", + "paths": [ + ".>karma>http-proxy>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "1.0.0", + "paths": [ + ".>karma>log4js>axios>follow-redirects", + ".>axios>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1109569, + "title": "Follow Redirects improperly handles URLs in the url.parse() function", + "module_name": "follow-redirects", + "vulnerable_versions": "<1.15.4", + "patched_versions": ">=1.15.4", + "severity": "moderate", + "cwe": "CWE-20, CWE-601", + "github_advisory_id": "GHSA-jchw-25xp-jwwc", + "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc" + }, + "1109570": { + "findings": [ + { + "version": "1.7.0", + "paths": [ + ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore", + ".>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp-connection>httpntlm>underscore", + ".>karma>log4js>nodemailer>nodemailer-smtp-transport>smtp-connection>httpntlm>underscore" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1109570, + "title": "Arbitrary Code Execution in underscore", + "module_name": "underscore", + "vulnerable_versions": ">=1.3.2 <1.12.1", + "patched_versions": ">=1.12.1", + "severity": "critical", + "cwe": "CWE-94", + "github_advisory_id": "GHSA-cf4h-3jhx-xvhq", + "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq" + }, + "1109804": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1109804, + "title": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict", + "module_name": "nodemailer", + "vulnerable_versions": "<7.0.7", + "patched_versions": ">=7.0.7", + "severity": "moderate", + "cwe": "CWE-20, CWE-436", + "github_advisory_id": "GHSA-mm7p-fcc7-pg87", + "url": "https://github.com/advisories/GHSA-mm7p-fcc7-pg87" + }, + "1111034": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>karma>log4js>axios", + ".>axios" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1111034, + "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", + "module_name": "axios", + "vulnerable_versions": "<0.30.0", + "patched_versions": ">=0.30.0", + "severity": "high", + "cwe": "CWE-918", + "github_advisory_id": "GHSA-jr5f-v2jv-69x6", + "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6" + }, + "1112455": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>combine-lists>lodash", + ".>karma>lodash", + ".>karma>log4js>hipchat-notifier>lodash", + ".>karma>log4js>mailgun-js>async>lodash", + ".>karma>log4js>slack-node>requestretry>lodash" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1112455, + "title": "Lodash has Prototype Pollution Vulnerability in \`_.unset\` and \`_.omit\` functions", + "module_name": "lodash", + "vulnerable_versions": ">=4.0.0 <=4.17.22", + "patched_versions": ">=4.17.23", + "severity": "moderate", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-xxjr-mmjv-4gpg", + "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg" + }, + "1112659": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1112659, + "title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal", + "module_name": "tar", + "vulnerable_versions": "<7.5.7", + "patched_versions": ">=7.5.7", + "severity": "high", + "cwe": "CWE-22, CWE-59", + "github_advisory_id": "GHSA-34x7-hfp2-rc4v", + "url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v" + }, + "1112827": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1112827, + "title": "Open redirect in url-parse", + "module_name": "url-parse", + "vulnerable_versions": ">=0.1.0 <1.5.2", + "patched_versions": ">=1.5.2", + "severity": "moderate", + "cwe": "CWE-601", + "github_advisory_id": "GHSA-hh27-ffr2-f2jc", + "url": "https://github.com/advisories/GHSA-hh27-ffr2-f2jc" + }, + "1112828": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1112828, + "title": "Path traversal in url-parse", + "module_name": "url-parse", + "vulnerable_versions": ">=0.1.0 <1.5.0", + "patched_versions": ">=1.5.0", + "severity": "moderate", + "cwe": "CWE-23", + "github_advisory_id": "GHSA-9m6j-fcg5-2442", + "url": "https://github.com/advisories/GHSA-9m6j-fcg5-2442" + }, + "1112829": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1112829, + "title": "url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.", + "module_name": "url-parse", + "vulnerable_versions": ">=0.1.0 <1.5.9", + "patched_versions": ">=1.5.9", + "severity": "moderate", + "cwe": "CWE-639", + "github_advisory_id": "GHSA-jf5r-8hm2-f872", + "url": "https://github.com/advisories/GHSA-jf5r-8hm2-f872" + }, + "1112918": { + "findings": [ + { + "version": "5.7.1", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>semver", + ".>karma>log4js>semver" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "5.5.1", + "paths": [ + ".>karma>useragent>semver" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1112918, + "title": "semver vulnerable to Regular Expression Denial of Service", + "module_name": "semver", + "vulnerable_versions": ">=2.0.0-alpha <5.7.2", + "patched_versions": ">=5.7.2", + "severity": "high", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-c2qf-rxjj-qqgw", + "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" + }, + "1113165": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113165, + "title": "Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls", + "module_name": "nodemailer", + "vulnerable_versions": "<=7.0.10", + "patched_versions": ">=7.0.11", + "severity": "high", + "cwe": "CWE-703", + "github_advisory_id": "GHSA-rcmh-qjqh-p98v", + "url": "https://github.com/advisories/GHSA-rcmh-qjqh-p98v" + }, + "1113274": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>karma>log4js>axios", + ".>axios" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1113274, + "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", + "module_name": "axios", + "vulnerable_versions": "<=0.30.2", + "patched_versions": ">=0.30.3", + "severity": "high", + "cwe": "CWE-754", + "github_advisory_id": "GHSA-43fc-jf86-j433", + "url": "https://github.com/advisories/GHSA-43fc-jf86-j433" + }, + "1113300": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113300, + "title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization", + "module_name": "tar", + "vulnerable_versions": "<=7.5.2", + "patched_versions": ">=7.5.3", + "severity": "high", + "cwe": "CWE-22", + "github_advisory_id": "GHSA-8qq5-rm4j-mr97", + "url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97" + }, + "1113375": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113375, + "title": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction", + "module_name": "tar", + "vulnerable_versions": "<7.5.8", + "patched_versions": ">=7.5.8", + "severity": "high", + "cwe": "CWE-22", + "github_advisory_id": "GHSA-83g3-92jg-28cx", + "url": "https://github.com/advisories/GHSA-83g3-92jg-28cx" + }, + "1113394": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113394, + "title": "url-parse Incorrectly parses URLs that include an '@'", + "module_name": "url-parse", + "vulnerable_versions": ">=1.0.0 <1.5.7", + "patched_versions": ">=1.5.7", + "severity": "moderate", + "cwe": "CWE-639", + "github_advisory_id": "GHSA-8v38-pw62-9cw2", + "url": "https://github.com/advisories/GHSA-8v38-pw62-9cw2" + }, + "1113395": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113395, "title": "Authorization bypass in url-parse", - "npm_advisory_id": null, - "overview": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.", + "module_name": "url-parse", + "vulnerable_versions": ">=0.1.0 <1.5.6", + "patched_versions": ">=1.5.6", + "severity": "moderate", + "cwe": "CWE-639", + "github_advisory_id": "GHSA-rqff-837h-mm52", "url": "https://github.com/advisories/GHSA-rqff-837h-mm52" + }, + "1113459": { + "findings": [ + { + "version": "3.0.4", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>npm-packlist>ignore-walk>minimatch", + ".>karma>chokidar>fsevents>node-pre-gyp>rimraf>glob>minimatch", + ".>karma>glob>minimatch", + ".>karma>minimatch", + ".>karma>rimraf>glob>minimatch" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1113459, + "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", + "module_name": "minimatch", + "vulnerable_versions": "<3.1.3", + "patched_versions": ">=3.1.3", + "severity": "high", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-3ppc-4f35-3m26", + "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26" + }, + "1113538": { + "findings": [ + { + "version": "3.0.4", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>npm-packlist>ignore-walk>minimatch", + ".>karma>chokidar>fsevents>node-pre-gyp>rimraf>glob>minimatch", + ".>karma>glob>minimatch", + ".>karma>minimatch", + ".>karma>rimraf>glob>minimatch" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1113538, + "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", + "module_name": "minimatch", + "vulnerable_versions": "<3.1.3", + "patched_versions": ">=3.1.3", + "severity": "high", + "cwe": "CWE-407", + "github_advisory_id": "GHSA-7r86-cg39-jmmj", + "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj" + }, + "1113546": { + "findings": [ + { + "version": "3.0.4", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>npm-packlist>ignore-walk>minimatch", + ".>karma>chokidar>fsevents>node-pre-gyp>rimraf>glob>minimatch", + ".>karma>glob>minimatch", + ".>karma>minimatch", + ".>karma>rimraf>glob>minimatch" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1113546, + "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", + "module_name": "minimatch", + "vulnerable_versions": "<3.1.4", + "patched_versions": ">=3.1.4", + "severity": "high", + "cwe": "CWE-1333", + "github_advisory_id": "GHSA-23c5-xmqv-rm74", + "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74" + }, + "1113714": { + "findings": [ + { + "version": "6.10.2", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>har-validator>ajv", + ".>karma>log4js>slack-node>requestretry>request>har-validator>ajv", + ".>karma>useragent>request>har-validator>ajv" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1113714, + "title": "ajv has ReDoS when using \`$data\` option", + "module_name": "ajv", + "vulnerable_versions": "<6.14.0", + "patched_versions": ">=6.14.0", + "severity": "moderate", + "cwe": "CWE-400, CWE-1333", + "github_advisory_id": "GHSA-2g4f-4pwh-qvx6", + "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6" + }, + "1113719": { + "findings": [ + { + "version": "6.7.0", + "paths": [ + ".>karma>body-parser>qs" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "6.5.2", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>qs", + ".>karma>log4js>slack-node>requestretry>request>qs", + ".>karma>useragent>request>qs" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "6.2.3", + "paths": [ + ".>karma>log4js>loggly>request>qs" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113719, + "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", + "module_name": "qs", + "vulnerable_versions": "<6.14.1", + "patched_versions": ">=6.14.1", + "severity": "moderate", + "cwe": "CWE-20", + "github_advisory_id": "GHSA-6rw7-vpxm-498p", + "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p" + }, + "1113950": { + "findings": [ + { + "version": "1.7.0", + "paths": [ + ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore", + ".>karma>log4js>nodemailer>nodemailer-smtp-pool>smtp-connection>httpntlm>underscore", + ".>karma>log4js>nodemailer>nodemailer-smtp-transport>smtp-connection>httpntlm>underscore" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1113950, + "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", + "module_name": "underscore", + "vulnerable_versions": "<=1.13.7", + "patched_versions": ">=1.13.8", + "severity": "high", + "cwe": "CWE-674, CWE-770", + "github_advisory_id": "GHSA-qpx9-hpmf-5gmw", + "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw" + }, + "1114200": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1114200, + "title": "tar has Hardlink Path Traversal via Drive-Relative Linkpath", + "module_name": "tar", + "vulnerable_versions": "<=7.5.9", + "patched_versions": ">=7.5.10", + "severity": "high", + "cwe": "CWE-22, CWE-59", + "github_advisory_id": "GHSA-qffp-2rhf-9h96", + "url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96" + }, + "1114302": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1114302, + "title": "node-tar Symlink Path Traversal via Drive-Relative Linkpath", + "module_name": "tar", + "vulnerable_versions": "<=7.5.10", + "patched_versions": ">=7.5.11", + "severity": "high", + "cwe": "CWE-22", + "github_advisory_id": "GHSA-9ppj-qmqm-q256", + "url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256" + }, + "1114680": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1114680, + "title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS", + "module_name": "tar", + "vulnerable_versions": "<=7.5.3", + "patched_versions": ">=7.5.4", + "severity": "high", + "cwe": "CWE-176, CWE-367", + "github_advisory_id": "GHSA-r6q2-hw4h-h46w", + "url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w" + }, + "1115156": { + "findings": [ + { + "version": "3.1.3", + "paths": [ + ".>karma>socket.io>socket.io-client>socket.io-parser", + ".>karma>socket.io>socket.io-parser" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1115156, + "title": "socket.io allows an unbounded number of binary attachments", + "module_name": "socket.io-parser", + "vulnerable_versions": "<3.3.5", + "patched_versions": ">=3.3.5", + "severity": "high", + "cwe": "CWE-754", + "github_advisory_id": "GHSA-677m-j7p3-52f9", + "url": "https://github.com/advisories/GHSA-677m-j7p3-52f9" + }, + "1115540": { + "findings": [ + { + "version": "1.1.11", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>npm-packlist>ignore-walk>minimatch>brace-expansion", + ".>karma>chokidar>fsevents>node-pre-gyp>rimraf>glob>minimatch>brace-expansion", + ".>karma>glob>minimatch>brace-expansion", + ".>karma>minimatch>brace-expansion", + ".>karma>rimraf>glob>minimatch>brace-expansion" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1115540, + "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", + "module_name": "brace-expansion", + "vulnerable_versions": "<1.1.13", + "patched_versions": ">=1.1.13", + "severity": "moderate", + "cwe": "CWE-400", + "github_advisory_id": "GHSA-f886-m6hf-6m8v", + "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v" + }, + "1115806": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>combine-lists>lodash", + ".>karma>lodash", + ".>karma>log4js>hipchat-notifier>lodash", + ".>karma>log4js>mailgun-js>async>lodash", + ".>karma>log4js>slack-node>requestretry>lodash" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1115806, + "title": "lodash vulnerable to Code Injection via \`_.template\` imports key names", + "module_name": "lodash", + "vulnerable_versions": ">=4.0.0 <=4.17.23", + "patched_versions": ">=4.17.24", + "severity": "high", + "cwe": "CWE-94", + "github_advisory_id": "GHSA-r5fr-rjxr-66jc", + "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc" + }, + "1115810": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>combine-lists>lodash", + ".>karma>lodash", + ".>karma>log4js>hipchat-notifier>lodash", + ".>karma>log4js>mailgun-js>async>lodash", + ".>karma>log4js>slack-node>requestretry>lodash" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1115810, + "title": "lodash vulnerable to Prototype Pollution via array path bypass in \`_.unset\` and \`_.omit\`", + "module_name": "lodash", + "vulnerable_versions": "<=4.17.23", + "patched_versions": ">=4.17.24", + "severity": "moderate", + "cwe": "CWE-1321", + "github_advisory_id": "GHSA-f23m-r3pf-42rh", + "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh" + }, + "1116270": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ], + "dev": false, + "optional": true, + "bundled": false + } + ], + "id": 1116270, + "title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", + "module_name": "nodemailer", + "vulnerable_versions": "<=8.0.4", + "patched_versions": ">=8.0.5", + "severity": "moderate", + "cwe": "CWE-93", + "github_advisory_id": "GHSA-vvjj-xcjg-gr5g", + "url": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g" + }, + "1116365": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>karma>log4js>axios", + ".>axios" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1116365, + "title": "Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF", + "module_name": "axios", + "vulnerable_versions": "<1.15.0", + "patched_versions": ">=1.15.0", + "severity": "critical", + "cwe": "CWE-441, CWE-918", + "github_advisory_id": "GHSA-3p68-rc4w-qgx5", + "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5" + }, + "1116560": { + "findings": [ + { + "version": "1.9.0", + "paths": [ + ".>karma>http-proxy>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + }, + { + "version": "1.0.0", + "paths": [ + ".>karma>log4js>axios>follow-redirects", + ".>axios>follow-redirects" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1116560, + "title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets", + "module_name": "follow-redirects", + "vulnerable_versions": "<=1.15.11", + "patched_versions": ">=1.15.12", + "severity": "moderate", + "cwe": "CWE-200", + "github_advisory_id": "GHSA-r4q5-vmmm-2653", + "url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653" + }, + "1116605": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>karma>log4js>axios", + ".>axios" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 1116605, + "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", + "module_name": "axios", + "vulnerable_versions": "<0.31.0", + "patched_versions": ">=0.31.0", + "severity": "critical", + "cwe": "CWE-113, CWE-444, CWE-918", + "github_advisory_id": "GHSA-fvcv-3m26-pcqx", + "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx" } }, - "muted": [], "metadata": { "vulnerabilities": { "info": 0, - "low": 4, - "moderate": 17, - "high": 21, - "critical": 4 + "low": 8, + "moderate": 42, + "high": 46, + "critical": 15 }, - "dependencies": 439, + "dependencies": 271, "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 439 + "optionalDependencies": 169, + "totalDependencies": 440 } }" `; - -exports[`plugin-commands-audit audit: CVEs in ignoreGhsas do not show up 1`] = ` -"┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ -│ │ client>xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Command injection in nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Insufficient Entropy in cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>cryptiles │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rq8g-5pc5-wrhr │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ critical │ Improper parsing of octal bytes in netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.1.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.1.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite on Windows via │ -│ │ insufficient relative path sanitization │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.18 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary File Creation/Overwrite via insufficient │ -│ │ symlink protection due to directory cache poisoning │ -│ │ using symbolic links │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.4.16 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>fsevents>node-pre-gyp>tar │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Code Injection in pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <3.3.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=3.3.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-parser │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Injection │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>socket.io-client>engine.io- │ -│ │ client>xmlhttprequest-ssl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Arbitrary Code Execution in underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=1.3.2 <1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.12.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer>nodemailer-direct- │ -│ │ transport>smtp-connection>httpntlm>underscore │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Path traversal in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Remote Memory Exposure in bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.2.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>bl │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Denial of Service in http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.18.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>http-proxy │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Validation Bypass in kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ >=6.0.0 <6.0.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.0.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>anymatch>micromatch>kind-of │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Exposure of sensitive information in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.7 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ -│ │ │ -│ │ .>karma>http-proxy>follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Regular expression denial of service │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ glob-parent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.1.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>chokidar>glob-parent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Command Injection in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Prototype Pollution in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.19 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.19 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Resource exhaustion in engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io>engine.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ high │ Authorization bypass in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.6 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.6 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in node-jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=5.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>har-validator>is-my- │ -│ │ json-valid>jsonpointer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Open redirect in url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.5.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.5.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>amqplib>url-parse │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ netmask npm package vulnerable to octal input data │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.0.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.0.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>mailgun-js>proxy-agent>pac-proxy- │ -│ │ agent>pac-resolver>netmask │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Insecure defaults due to CORS misconfiguration in │ -│ │ socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <2.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=2.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>socket.io │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Tmp files readable by other users in sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <=0.6.2 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ <0.0.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>sync-exec │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Memory Exposure in tunnel-agent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ tunnel-agent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.6.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.6.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>tunnel-agent │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.2.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>loggly>request>hawk>hoek │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ json-schema is vulnerable to Prototype Pollution │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ json-schema │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <0.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=0.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>hipchat-notifier>request>http- │ -│ │ signature>jsprim>json-schema │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Header injection in nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.6.1 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>nodemailer │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Incorrect Default Permissions in log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.4.0 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=4.17.21 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>lodash │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Cross-site Scripting in karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.3.14 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.3.14 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Prototype Pollution in Ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <6.12.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=6.12.3 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>karma>log4js>hipchat-notifier>request>har- │ -│ │ validator>ajv │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -┌─────────────────────┬────────────────────────────────────────────────────────┐ -│ moderate │ Exposure of Sensitive Information to an Unauthorized │ -│ │ Actor in follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Package │ follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Vulnerable versions │ <1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Patched versions │ >=1.14.8 │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ Paths │ .>axios>follow-redirects │ -│ │ │ -│ │ .>karma>http-proxy>follow-redirects │ -├─────────────────────┼────────────────────────────────────────────────────────┤ -│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ -└─────────────────────┴────────────────────────────────────────────────────────┘ -46 vulnerabilities found -Severity: 4 low | 17 moderate (1 ignored) | 21 high (3 ignored) | 4 critical" -`; diff --git a/deps/compliance/commands/test/audit/fix.ts b/deps/compliance/commands/test/audit/fix.ts index 8db148b52b..6f6d896588 100644 --- a/deps/compliance/commands/test/audit/fix.ts +++ b/deps/compliance/commands/test/audit/fix.ts @@ -22,7 +22,7 @@ test('overrides are added for vulnerable dependencies', async () => { const tmp = f.prepare('has-vulnerabilities') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { exitCode, output } = await audit.handler({ @@ -55,7 +55,7 @@ test('no overrides are added if no vulnerabilities are found', async () => { const tmp = f.prepare('fixture') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.NO_VULN_RESP) const { exitCode, output } = await audit.handler({ @@ -70,22 +70,20 @@ test('no overrides are added if no vulnerabilities are found', async () => { expect(output).toBe('No fixes were made') }) -test('CVEs found in the allow list are not added as overrides', async () => { +test('GHSAs in the ignore list are not added as overrides', async () => { const tmp = f.prepare('has-vulnerabilities') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { exitCode, output } = await audit.handler({ ...AUDIT_REGISTRY_OPTS, auditLevel: 'moderate', auditConfig: { - ignoreCves: [ - 'CVE-2019-10742', - 'CVE-2020-28168', - 'CVE-2021-3749', - 'CVE-2020-7598', + ignoreGhsas: [ + // Denial of Service in axios (<=0.18.0) + 'GHSA-42xw-2xvc-qx8m', ], }, dir: tmp, @@ -97,7 +95,4 @@ test('CVEs found in the allow list are not added as overrides', async () => { const manifest = readYamlFileSync<{ overrides?: Record }>(path.join(tmp, 'pnpm-workspace.yaml')) expect(manifest.overrides?.['axios@<=0.18.0']).toBeFalsy() - expect(manifest.overrides?.['axios@<0.21.1']).toBeFalsy() - expect(manifest.overrides?.['minimist@<0.2.1']).toBeFalsy() - expect(manifest.overrides?.['url-parse@<1.5.6']).toBeTruthy() }) diff --git a/deps/compliance/commands/test/audit/fixWithUpdate.ts b/deps/compliance/commands/test/audit/fixWithUpdate.ts index 5a03f65814..3072704e88 100644 --- a/deps/compliance/commands/test/audit/fixWithUpdate.ts +++ b/deps/compliance/commands/test/audit/fixWithUpdate.ts @@ -1,4 +1,3 @@ -import { readFile } from 'node:fs/promises' import { join } from 'node:path' import { audit } from '@pnpm/deps.compliance.commands' @@ -10,6 +9,7 @@ import type { DepPath } from '@pnpm/types' import { readProjectManifest } from '@pnpm/workspace.project-manifest-reader' import { filterProjectsFromDir } from '@pnpm/workspace.projects-filter' import chalk from 'chalk' +import { loadJsonFile } from 'load-json-file' import { readYamlFileSync } from 'read-yaml-file' import { MOCK_REGISTRY, MOCK_REGISTRY_OPTS } from './utils/options.js' @@ -42,11 +42,11 @@ describe('audit fix with update', () => { expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'top-level-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'top-level-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { exitCode, output } = await audit.handler({ @@ -108,11 +108,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalDepPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedDepPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'top-level-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'top-level-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { exitCode, output } = await audit.handler({ @@ -169,11 +169,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'depth-2-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'depth-2-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { exitCode, output } = await audit.handler({ @@ -220,11 +220,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'depth-3-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'depth-3-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { exitCode, output } = await audit.handler({ @@ -274,11 +274,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages).toBeDefined() expect(originalLockfile!.packages![pkgId]).toBeDefined() - const mockResponse = await readFile(join(tmp, 'responses', 'unfixable-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'unfixable-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { exitCode, output } = await audit.handler({ @@ -338,11 +338,11 @@ The remaining vulnerabilities are: expect(originalLockfile!.packages![expectedPkgId1]).toBeUndefined() expect(originalLockfile!.packages![expectedPkgId2]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'form-data-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'form-data-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { exitCode, output } = await audit.handler({ @@ -404,11 +404,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'top-level-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'top-level-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { @@ -478,11 +478,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'depth-2-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'depth-2-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { @@ -559,11 +559,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalDepPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedDepPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'top-level-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'top-level-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { @@ -650,11 +650,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'top-level-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'top-level-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { @@ -738,11 +738,11 @@ The fixed vulnerabilities are: expect(originalLockfile!.packages![originalPkgId]).toBeDefined() expect(originalLockfile!.packages![expectedPkgId]).toBeUndefined() - const mockResponse = await readFile(join(tmp, 'responses', 'top-level-vulnerability.json'), 'utf-8') + const mockResponse = await loadJsonFile>(join(tmp, 'responses', 'top-level-vulnerability.json')) expect(mockResponse).toBeTruthy() getMockAgent().get(MOCK_REGISTRY) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, mockResponse) const { diff --git a/deps/compliance/commands/test/audit/fixtures/preserve-reference-overrides/pnpm-lock.yaml b/deps/compliance/commands/test/audit/fixtures/preserve-reference-overrides/pnpm-lock.yaml index cca596c156..29ee899a1c 100644 --- a/deps/compliance/commands/test/audit/fixtures/preserve-reference-overrides/pnpm-lock.yaml +++ b/deps/compliance/commands/test/audit/fixtures/preserve-reference-overrides/pnpm-lock.yaml @@ -22,3 +22,9 @@ packages: axios@0.18.0: resolution: {integrity: sha512-1qjL8847bdp87/g7G5nCW12s5J0D1Xv45Z6M4Z5Tsp8sTuXj5w8e0HIiln4Wj12v2H2tX4f6j62/j/k7u0/g==} + +snapshots: + + is-positive@1.0.0: {} + + axios@0.18.0: {} diff --git a/deps/compliance/commands/test/audit/fixtures/update-multiple/responses/form-data-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-multiple/responses/form-data-vulnerability.json index 7c80a114eb..ca962fb939 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-multiple/responses/form-data-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-multiple/responses/form-data-vulnerability.json @@ -1,36 +1,6 @@ { - "actions": [ + "form-data": [ { - "action": "update", - "resolves": [ - { - "id": 1109538, - "path": ".>axios>form-data", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "form-data", - "target": "4.0.5", - "depth": 3 - }, - { - "action": "review", - "module": "form-data", - "resolves": [ - { - "id": 1109539, - "path": ".>form-data", - "dev": false, - "optional": false, - "bundled": false - } - ] - } - ], - "advisories": { - "1109538": { "findings": [ { "version": "4.0.0", @@ -69,7 +39,7 @@ ], "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4" }, - "1109539": { + { "findings": [ { "version": "3.0.1", @@ -108,19 +78,5 @@ ], "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 0, - "critical": 2 - }, - "dependencies": 11, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 11 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/depth-2-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/depth-2-vulnerability.json index 006a7df1d0..c51e7863b7 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/depth-2-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/depth-2-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/dep-of-pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": ".>@pnpm.e2e/pkg-with-1-dep>@pnpm.e2e/dep-of-pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/dep-of-pkg-with-1-dep", - "target": "100.0.0", - "depth": 3 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/dep-of-pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/top-level-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/top-level-vulnerability.json index d588ecfe2a..28ba158e6f 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/top-level-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/top-level-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": ".>@pnpm.e2e/pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/pkg-with-1-dep", - "target": "100.0.0", - "depth": 2 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/unfixable-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/unfixable-vulnerability.json index 2890c98ddc..dd64951429 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/unfixable-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-single-depth-2/responses/unfixable-vulnerability.json @@ -1,7 +1,6 @@ { - "actions": [], - "advisories": { - "123456": { + "@pnpm.e2e/pkg-with-1-dep": [ + { "findings": [ { "version": "100.0.0", @@ -32,19 +31,5 @@ "overview": "Overview: unfixable vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-single-depth-3/responses/depth-3-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-single-depth-3/responses/depth-3-vulnerability.json index cf6b753a0a..9751210d19 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-single-depth-3/responses/depth-3-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-single-depth-3/responses/depth-3-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/dep-of-pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": ".>@pnpm.e2e/parent-of-pkg-with-1-dep>@pnpm.e2e/pkg-with-1-dep>@pnpm.e2e/dep-of-pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/dep-of-pkg-with-1-dep", - "target": "100.0.0", - "depth": 4 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/dep-of-pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 3, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 3 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-single-pinned/responses/top-level-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-single-pinned/responses/top-level-vulnerability.json index d588ecfe2a..28ba158e6f 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-single-pinned/responses/top-level-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-single-pinned/responses/top-level-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": ".>@pnpm.e2e/pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/pkg-with-1-dep", - "target": "100.0.0", - "depth": 2 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog-pinned/responses/top-level-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog-pinned/responses/top-level-vulnerability.json index c6fcef7549..c7e589e191 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog-pinned/responses/top-level-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog-pinned/responses/top-level-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": "packages__sub-pkg>@pnpm.e2e/pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/pkg-with-1-dep", - "target": "100.0.0", - "depth": 2 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } + ] } diff --git a/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog/responses/top-level-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog/responses/top-level-vulnerability.json index c6fcef7549..c7e589e191 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog/responses/top-level-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-workspace-catalog/responses/top-level-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": "packages__sub-pkg>@pnpm.e2e/pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/pkg-with-1-dep", - "target": "100.0.0", - "depth": 2 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } + ] } diff --git a/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/depth-2-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/depth-2-vulnerability.json index 2acf55313b..5f03334ddc 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/depth-2-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/depth-2-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/dep-of-pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": "packages__sub-pkg>@pnpm.e2e/pkg-with-1-dep>@pnpm.e2e/dep-of-pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/dep-of-pkg-with-1-dep", - "target": "100.0.0", - "depth": 3 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/dep-of-pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } + ] } diff --git a/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/top-level-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/top-level-vulnerability.json index 7ad8890e9d..c7e589e191 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/top-level-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-workspace-depth-2/responses/top-level-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": "packages__sub-pkg>@pnpm.e2e/pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/pkg-with-1-dep", - "target": "100.0.0", - "depth": 2 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } -} \ No newline at end of file + ] +} diff --git a/deps/compliance/commands/test/audit/fixtures/update-workspace-pinned/responses/top-level-vulnerability.json b/deps/compliance/commands/test/audit/fixtures/update-workspace-pinned/responses/top-level-vulnerability.json index c6fcef7549..c7e589e191 100644 --- a/deps/compliance/commands/test/audit/fixtures/update-workspace-pinned/responses/top-level-vulnerability.json +++ b/deps/compliance/commands/test/audit/fixtures/update-workspace-pinned/responses/top-level-vulnerability.json @@ -1,23 +1,6 @@ { - "actions": [ + "@pnpm.e2e/pkg-with-1-dep": [ { - "action": "update", - "resolves": [ - { - "id": 123456, - "path": "packages__sub-pkg>@pnpm.e2e/pkg-with-1-dep", - "dev": false, - "optional": false, - "bundled": false - } - ], - "module": "@pnpm.e2e/pkg-with-1-dep", - "target": "100.0.0", - "depth": 2 - } - ], - "advisories": { - "123456": { "findings": [ { "version": "100.0.0", @@ -48,19 +31,5 @@ "overview": "Overview: mock vulnerability in @pnpm.e2e/pkg-with-1-dep", "url": "https://example.com" } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 1, - "critical": 0 - }, - "dependencies": 2, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 2 - } + ] } diff --git a/deps/compliance/commands/test/audit/ignore.ts b/deps/compliance/commands/test/audit/ignore.ts index b29febb971..f9327af868 100644 --- a/deps/compliance/commands/test/audit/ignore.ts +++ b/deps/compliance/commands/test/audit/ignore.ts @@ -18,12 +18,36 @@ afterEach(async () => { await teardownMockAgent() }) +// Advisories whose vulnerable_versions can't be inferred into a patched +// range (`>=0.0.0` / `*` cover the entire version space). With no inferable +// fix, these surface as "no resolution" for --ignore-unfixable. +const UNFIXABLE_RESPONSE = { + axios: [ + { + id: 90000001, + url: 'https://github.com/advisories/GHSA-unfixable-test-0001', + title: 'unfixable axios advisory used for tests', + severity: 'high', + vulnerable_versions: '>=0.0.0', + cwe: [] as string[], + }, + { + id: 90000002, + url: 'https://github.com/advisories/GHSA-unfixable-test-0002', + title: 'another unfixable axios advisory used for tests', + severity: 'moderate', + vulnerable_versions: '*', + cwe: [] as string[], + }, + ], +} + test('ignores are added for vulnerable dependencies with no resolutions', async () => { const tmp = f.prepare('has-vulnerabilities') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) - .reply(200, responses.ALL_VULN_RESP) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, UNFIXABLE_RESPONSE) const { exitCode, output } = await audit.handler({ ...AUDIT_REGISTRY_OPTS, @@ -38,16 +62,16 @@ test('ignores are added for vulnerable dependencies with no resolutions', async expect(output).toContain('2 new vulnerabilities were ignored') const manifest = readYamlFileSync(path.join(tmp, 'pnpm-workspace.yaml')) // eslint-disable-line - const cveList = manifest.auditConfig?.ignoreCves - expect(cveList?.length).toBe(2) - expect(cveList).toStrictEqual(expect.arrayContaining(['CVE-2017-16115', 'CVE-2017-16024'])) + const ghsaList = manifest.auditConfig?.ignoreGhsas + expect(ghsaList?.length).toBe(2) + expect(ghsaList).toStrictEqual(expect.arrayContaining(['GHSA-unfixable-test-0001', 'GHSA-unfixable-test-0002'])) }) test('the specified vulnerabilities are ignored', async () => { const tmp = f.prepare('has-vulnerabilities') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { exitCode, output } = await audit.handler({ @@ -56,21 +80,23 @@ test('the specified vulnerabilities are ignored', async () => { dir: tmp, rootProjectManifestDir: tmp, fix: false, - ignore: ['CVE-2017-16115'], + ignore: ['GHSA-cph5-m8f7-6c5x'], }) expect(exitCode).toBe(0) expect(output).toContain('1 new vulnerabilities were ignored') const manifest = readYamlFileSync(path.join(tmp, 'pnpm-workspace.yaml')) // eslint-disable-line - expect(manifest.auditConfig?.ignoreCves).toStrictEqual(['CVE-2017-16115']) + // Stored canonicalized (GHSA prefix upper, suffix lower) regardless of the + // user-supplied casing. + expect(manifest.auditConfig?.ignoreGhsas).toStrictEqual(['GHSA-cph5-m8f7-6c5x']) }) test('no ignores are added if no vulnerabilities are found', async () => { const tmp = f.prepare('fixture') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.NO_VULN_RESP) const { exitCode, output } = await audit.handler({ @@ -86,24 +112,22 @@ test('no ignores are added if no vulnerabilities are found', async () => { expect(output).toBe('No new vulnerabilities were ignored') }) -test('ignored CVEs are not duplicated', async () => { +test('ignored GHSAs are not duplicated', async () => { const tmp = f.prepare('has-vulnerabilities') - const existingCves = [ - 'CVE-2019-10742', - 'CVE-2020-7598', - 'CVE-2017-16115', - 'CVE-2017-16024', + const existingGhsas = [ + 'GHSA-unfixable-test-0001', + 'GHSA-unfixable-test-0002', ] getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) - .reply(200, responses.ALL_VULN_RESP) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, UNFIXABLE_RESPONSE) const { exitCode, output } = await audit.handler({ ...AUDIT_REGISTRY_OPTS, auditLevel: 'moderate', auditConfig: { - ignoreCves: existingCves, + ignoreGhsas: existingGhsas, }, dir: tmp, rootProjectManifestDir: tmp, @@ -114,5 +138,5 @@ test('ignored CVEs are not duplicated', async () => { expect(output).toBe('No new vulnerabilities were ignored') const manifest = readYamlFileSync(path.join(tmp, 'pnpm-workspace.yaml')) // eslint-disable-line - expect(manifest.auditConfig?.ignoreCves).toStrictEqual(expect.arrayContaining(existingCves)) + expect(manifest.auditConfig?.ignoreGhsas).toStrictEqual(expect.arrayContaining(existingGhsas)) }) diff --git a/deps/compliance/commands/test/audit/index.ts b/deps/compliance/commands/test/audit/index.ts index 49d951fc1c..f3713e8a00 100644 --- a/deps/compliance/commands/test/audit/index.ts +++ b/deps/compliance/commands/test/audit/index.ts @@ -29,7 +29,7 @@ describe('plugin-commands-audit', () => { }) test('audit', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { output, exitCode } = await audit.handler({ @@ -43,7 +43,7 @@ describe('plugin-commands-audit', () => { test('audit --dev', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.DEV_VULN_ONLY_RESP) const { output, exitCode } = await audit.handler({ @@ -60,7 +60,7 @@ describe('plugin-commands-audit', () => { test('audit --audit-level', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { output, exitCode } = await audit.handler({ @@ -76,7 +76,7 @@ describe('plugin-commands-audit', () => { test('audit: no vulnerabilities', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.NO_VULN_RESP) const { output, exitCode } = await audit.handler({ @@ -91,7 +91,7 @@ describe('plugin-commands-audit', () => { test('audit --json', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { output, exitCode } = await audit.handler({ @@ -106,27 +106,39 @@ describe('plugin-commands-audit', () => { expect(exitCode).toBe(1) }) - test.skip('audit does not exit with code 1 if the found vulnerabilities are having lower severity then what we asked for', async () => { + test('audit exits 0 when every found vulnerability is below --audit-level', async () => { + // Only a single moderate advisory against axios. With --audit-level=high + // the table is empty (so exitCode is 0), but the summary still reports + // the moderate vulnerability so the user knows it exists. getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) - .reply(200, responses.DEV_VULN_ONLY_RESP) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, { + axios: [ + { + id: 99000001, + url: 'https://github.com/advisories/GHSA-below-level-test-0001', + title: 'moderate axios advisory for audit-level test', + severity: 'moderate', + vulnerable_versions: '<=0.99.0', + cwe: [] as string[], + }, + ], + }) const { output, exitCode } = await audit.handler({ ...AUDIT_REGISTRY_OPTS, auditLevel: 'high', dir: hasVulnerabilitiesDir, rootProjectManifestDir: hasVulnerabilitiesDir, - dev: true, }) expect(exitCode).toBe(0) - expect(stripAnsi(output)).toBe(`1 vulnerabilities found - Severity: 1 moderate`) + expect(stripAnsi(output)).toBe('1 vulnerabilities found\nSeverity: 1 moderate') }) test('audit --json respects audit-level', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.DEV_VULN_ONLY_RESP) const { exitCode, output } = await audit.handler({ @@ -138,14 +150,19 @@ describe('plugin-commands-audit', () => { dev: true, }) - expect(exitCode).toBe(0) + expect(exitCode).toBe(1) const parsed = JSON.parse(output) - expect(Object.keys(parsed.advisories)).toHaveLength(0) + // DEV_VULN_ONLY_RESP has 2 critical advisories — only those should be + // included at audit-level=critical. + expect(Object.keys(parsed.advisories)).toHaveLength(2) + for (const advisory of Object.values(parsed.advisories) as Array<{ severity: string }>) { + expect(advisory.severity).toBe('critical') + } }) test('audit --json filters advisories by audit-level', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.DEV_VULN_ONLY_RESP) const { exitCode, output } = await audit.handler({ @@ -159,21 +176,17 @@ describe('plugin-commands-audit', () => { expect(exitCode).toBe(1) const parsed = JSON.parse(output) - // DEV_VULN_ONLY_RESP has 4 high and 2 moderate advisories - // With audit-level=high, only the 4 high advisories should be included - expect(Object.keys(parsed.advisories)).toHaveLength(4) + // At audit-level=high, only high/critical advisories should remain. for (const advisory of Object.values(parsed.advisories) as Array<{ severity: string }>) { - expect(advisory.severity).toBe('high') + expect(['high', 'critical']).toContain(advisory.severity) } + expect(Object.keys(parsed.advisories).length).toBeGreaterThan(0) }) test('audit does not exit with code 1 if the registry responds with a non-200 response and ignoreRegistryErrors is used', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(500, { message: 'Something bad happened' }) - getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits', method: 'POST' }) - .reply(500, { message: 'Fallback failed too' }) const { output, exitCode } = await audit.handler({ ...AUDIT_REGISTRY_OPTS, dir: hasVulnerabilitiesDir, @@ -185,13 +198,13 @@ describe('plugin-commands-audit', () => { }) expect(exitCode).toBe(0) - expect(stripAnsi(output)).toBe(`The audit endpoint (at ${AUDIT_REGISTRY}-/npm/v1/security/audits/quick) responded with 500: {"message":"Something bad happened"}. Fallback endpoint (at ${AUDIT_REGISTRY}-/npm/v1/security/audits) responded with 500: {"message":"Fallback failed too"}`) + expect(stripAnsi(output)).toBe(`The audit endpoint (at ${AUDIT_REGISTRY}-/npm/v1/security/advisories/bulk) responded with 500: {"message":"Something bad happened"}`) }) test('audit sends authToken', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) .intercept({ - path: '/-/npm/v1/security/audits/quick', + path: '/-/npm/v1/security/advisories/bulk', method: 'POST', headers: { authorization: 'Bearer 123' }, }) @@ -212,10 +225,7 @@ describe('plugin-commands-audit', () => { test('audit endpoint does not exist', async () => { getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) - .reply(404, {}) - getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(404, {}) await expect(audit.handler({ @@ -229,38 +239,11 @@ describe('plugin-commands-audit', () => { })).rejects.toThrow(AuditEndpointNotExistsError) }) - test('audit: CVEs in ignoreCves do not show up', async () => { + test('audit: advisories in ignoreGhsas do not show up', async () => { const tmp = f.prepare('has-vulnerabilities') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) - .reply(200, responses.ALL_VULN_RESP) - - const { exitCode, output } = await audit.handler({ - ...AUDIT_REGISTRY_OPTS, - auditLevel: 'moderate', - dir: tmp, - rootProjectManifestDir: tmp, - rootProjectManifest: {}, - auditConfig: { - ignoreCves: [ - 'CVE-2019-10742', - 'CVE-2020-28168', - 'CVE-2021-3749', - 'CVE-2020-7598', - ], - }, - }) - - expect(exitCode).toBe(1) - expect(stripAnsi(output)).toMatchSnapshot() - }) - - test('audit: CVEs in ignoreGhsas do not show up', async () => { - const tmp = f.prepare('has-vulnerabilities') - - getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { exitCode, output } = await audit.handler({ @@ -283,11 +266,11 @@ describe('plugin-commands-audit', () => { expect(stripAnsi(output)).toMatchSnapshot() }) - test('audit: CVEs in ignoreCves do not show up when JSON output is used', async () => { + test('audit: advisories in ignoreGhsas do not show up when JSON output is used', async () => { const tmp = f.prepare('has-vulnerabilities') getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { exitCode, output } = await audit.handler({ @@ -298,11 +281,11 @@ describe('plugin-commands-audit', () => { json: true, rootProjectManifest: {}, auditConfig: { - ignoreCves: [ - 'CVE-2019-10742', - 'CVE-2020-28168', - 'CVE-2021-3749', - 'CVE-2020-7598', + ignoreGhsas: [ + 'GHSA-42xw-2xvc-qx8m', + 'GHSA-4w2v-q235-vp99', + 'GHSA-cph5-m8f7-6c5x', + 'GHSA-vh95-rmgr-6w4m', ], }, }) @@ -310,4 +293,37 @@ describe('plugin-commands-audit', () => { expect(exitCode).toBe(1) expect(stripAnsi(output)).toMatchSnapshot() }) + + test('audit --audit-level info', async () => { + getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, responses.INFO_VULN_RESP) + + const { output, exitCode } = await audit.handler({ + ...AUDIT_REGISTRY_OPTS, + auditLevel: 'info', + dir: hasVulnerabilitiesDir, + rootProjectManifestDir: hasVulnerabilitiesDir, + }) + + expect(exitCode).toBe(1) + expect(stripAnsi(output)).toContain('just some info') + expect(stripAnsi(output)).toContain('info') + }) + + test('audit defaults to low level and ignores info', async () => { + getMockAgent().get(AUDIT_REGISTRY.replace(/\/$/, '')) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) + .reply(200, responses.INFO_VULN_RESP) + + const { output, exitCode } = await audit.handler({ + ...AUDIT_REGISTRY_OPTS, + dir: hasVulnerabilitiesDir, + rootProjectManifestDir: hasVulnerabilitiesDir, + }) + + expect(exitCode).toBe(0) + expect(stripAnsi(output)).toBe(`1 vulnerabilities found +Severity: 1 info`) + }) }) diff --git a/deps/compliance/commands/test/audit/preserveReferenceOverrides.ts b/deps/compliance/commands/test/audit/preserveReferenceOverrides.ts index 5cf8adb806..65b69db2c8 100644 --- a/deps/compliance/commands/test/audit/preserveReferenceOverrides.ts +++ b/deps/compliance/commands/test/audit/preserveReferenceOverrides.ts @@ -25,7 +25,7 @@ test('overrides with references (via $) are preserved during audit --fix', async const tmp = f.prepare('preserve-reference-overrides') getMockAgent().get(registries.default.replace(/\/$/, '')) - .intercept({ path: '/-/npm/v1/security/audits/quick', method: 'POST' }) + .intercept({ path: '/-/npm/v1/security/advisories/bulk', method: 'POST' }) .reply(200, responses.ALL_VULN_RESP) const { manifest: initialManifest } = await readProjectManifest(tmp) diff --git a/deps/compliance/commands/test/audit/utils/responses/all-vulnerabilities-response.json b/deps/compliance/commands/test/audit/utils/responses/all-vulnerabilities-response.json index 89c5fffd71..08eab99118 100644 --- a/deps/compliance/commands/test/audit/utils/responses/all-vulnerabilities-response.json +++ b/deps/compliance/commands/test/audit/utils/responses/all-vulnerabilities-response.json @@ -1,1969 +1,1690 @@ { - "actions": [ + "axios": [ { - "action": "update", - "resolves": [ - { - "id": 1005586, - "path": ".>karma>http-proxy", - "dev": false, - "optional": false, - "bundled": false - } + "id": 1102326, + "url": "https://github.com/advisories/GHSA-cph5-m8f7-6c5x", + "title": "axios Inefficient Regular Expression Complexity vulnerability", + "severity": "high", + "vulnerable_versions": "<0.21.2", + "cwe": [ + "CWE-400", + "CWE-1333" ], - "module": "http-proxy", - "target": "1.18.1", - "depth": 3 + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } }, { - "action": "update", - "resolves": [ - { - "id": 1006110, - "path": ".>karma>chokidar>anymatch>micromatch>kind-of", - "dev": false, - "optional": false, - "bundled": false - } + "id": 1111034, + "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", + "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", + "severity": "high", + "vulnerable_versions": "<0.30.0", + "cwe": [ + "CWE-918" ], - "module": "kind-of", - "target": "6.0.3", - "depth": 6 + "cvss": { + "score": 0, + "vectorString": null + } }, { - "action": "update", - "resolves": [ - { - "id": 1006724, - "path": ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema", - "dev": false, - "optional": false, - "bundled": false - } + "id": 1113274, + "url": "https://github.com/advisories/GHSA-43fc-jf86-j433", + "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", + "severity": "high", + "vulnerable_versions": "<=0.30.2", + "cwe": [ + "CWE-754" ], - "module": "jsprim", - "target": "1.4.2", - "depth": 7 + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } }, { - "action": "update", - "resolves": [ - { - "id": 1006865, - "path": ".>karma>http-proxy>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007026, - "path": ".>karma>http-proxy>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - } + "id": 1116365, + "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5", + "title": "Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF", + "severity": "critical", + "vulnerable_versions": "<1.15.0", + "cwe": [ + "CWE-441", + "CWE-918" ], - "module": "follow-redirects", - "target": "1.14.9", - "depth": 4 + "cvss": { + "score": 0, + "vectorString": null + } }, { - "action": "update", - "resolves": [ - { - "id": 1006948, - "path": ".>karma>lodash", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006949, - "path": ".>karma>lodash", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006952, - "path": ".>karma>lodash", - "dev": false, - "optional": false, - "bundled": false - } + "id": 1116605, + "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", + "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", + "severity": "critical", + "vulnerable_versions": "<0.31.0", + "cwe": [ + "CWE-113", + "CWE-444", + "CWE-918" ], - "module": "lodash", - "target": "4.17.21", - "depth": 3 + "cvss": { + "score": 10, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } }, { - "action": "review", - "module": "jsonpointer", - "resolves": [ - { - "id": 1004869, - "path": ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer", - "dev": false, - "optional": false, - "bundled": false - } - ] + "id": 1090049, + "url": "https://github.com/advisories/GHSA-4w2v-q235-vp99", + "title": "Axios vulnerable to Server-Side Request Forgery", + "severity": "moderate", + "vulnerable_versions": "<0.21.1", + "cwe": [ + "CWE-918" + ], + "cvss": { + "score": 5.9, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } }, { - "action": "review", - "module": "axios", - "resolves": [ - { - "id": 1005018, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005506, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006349, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - } - ] + "id": 1097679, + "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", + "title": "Axios Cross-Site Request Forgery Vulnerability", + "severity": "moderate", + "vulnerable_versions": ">=0.8.1 <0.28.0", + "cwe": [ + "CWE-352" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } }, { - "action": "review", - "module": "tar", - "resolves": [ - { - "id": 1005040, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005043, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005046, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "pac-resolver", - "resolves": [ - { - "id": 1005062, - "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "url-parse", - "resolves": [ - { - "id": 1005084, - "path": ".>karma>log4js>amqplib>url-parse", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005404, - "path": ".>karma>log4js>amqplib>url-parse", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007030, - "path": ".>karma>log4js>amqplib>url-parse", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "socket.io-parser", - "resolves": [ - { - "id": 1005107, - "path": ".>karma>socket.io>socket.io-parser", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "xmlhttprequest-ssl", - "resolves": [ - { - "id": 1005175, - "path": ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005260, - "path": ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "redis", - "resolves": [ - { - "id": 1005277, - "path": ".>karma>log4js>redis", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "nodemailer", - "resolves": [ - { - "id": 1005307, - "path": ".>karma>log4js>nodemailer", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006788, - "path": ".>karma>log4js>nodemailer", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "underscore", - "resolves": [ - { - "id": 1005367, - "path": ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "netmask", - "resolves": [ - { - "id": 1005392, - "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006822, - "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "socket.io", - "resolves": [ - { - "id": 1005490, - "path": ".>karma>socket.io", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "bl", - "resolves": [ - { - "id": 1005563, - "path": ".>karma>log4js>loggly>request>bl", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "timespan", - "resolves": [ - { - "id": 1005745, - "path": ".>karma>log4js>loggly>timespan", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "sync-exec", - "resolves": [ - { - "id": 1005902, - "path": ".>sync-exec", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "minimist", - "resolves": [ - { - "id": 1006180, - "path": ".>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006180, - "path": ".>karma>optimist>minimist", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "braces", - "resolves": [ - { - "id": 1006342, - "path": ".>karma>expand-braces>braces", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006837, - "path": ".>karma>expand-braces>braces", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "tunnel-agent", - "resolves": [ - { - "id": 1006373, - "path": ".>karma>log4js>loggly>request>tunnel-agent", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "cryptiles", - "resolves": [ - { - "id": 1006603, - "path": ".>karma>log4js>loggly>request>hawk>cryptiles", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "hoek", - "resolves": [ - { - "id": 1006659, - "path": ".>karma>log4js>loggly>request>hawk>hoek", - "dev": false, - "bundled": false, - "optional": false - } - ] - }, - { - "action": "review", - "module": "follow-redirects", - "resolves": [ - { - "id": 1006865, - "path": ".>axios>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007026, - "path": ".>axios>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "log4js", - "resolves": [ - { - "id": 1006902, - "path": ".>karma>log4js", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "glob-parent", - "resolves": [ - { - "id": 1006947, - "path": ".>karma>chokidar>glob-parent", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "engine.io", - "resolves": [ - { - "id": 1006975, - "path": ".>karma>socket.io>engine.io", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "karma", - "resolves": [ - { - "id": 1006997, - "path": ".>karma", - "dev": false, - "optional": false, - "bundled": false - } - ] - }, - { - "action": "review", - "module": "ajv", - "resolves": [ - { - "id": 1007017, - "path": ".>karma>log4js>hipchat-notifier>request>har-validator>ajv", - "dev": false, - "optional": false, - "bundled": false - } - ] + "id": 1091722, + "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m", + "title": "Denial of Service in axios", + "severity": "high", + "vulnerable_versions": "<=0.18.0", + "cwe": [ + "CWE-20", + "CWE-755" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } } ], - "advisories": { - "1004869": { - "findings": [ - { - "version": "4.0.1", - "paths": [ - ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<5.0.0", - "module_name": "jsonpointer", - "severity": "moderate", - "github_advisory_id": "GHSA-282f-qqgm-c34q", - "cves": [ - "CVE-2021-23807" - ], - "access": "public", - "patched_versions": ">=5.0.0", - "updated": "2021-11-04T16:58:08.000Z", - "recommendation": "Upgrade to version 5.0.0 or later", - "cwe": "CWE-843", - "found_by": null, - "deleted": null, - "id": 1004869, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23807\n- https://github.com/janl/node-jsonpointer/pull/51\n- https://github.com/janl/node-jsonpointer/commit/a0345f3550cd9c4d89f33b126390202b89510ad4\n- https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577288\n- https://github.com/advisories/GHSA-282f-qqgm-c34q", - "created": "2021-11-18T16:00:48.459Z", - "reported_by": null, - "title": "Prototype Pollution in node-jsonpointer", - "npm_advisory_id": null, - "overview": "This affects the package `jsonpointer` before `5.0.0`. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.", - "url": "https://github.com/advisories/GHSA-282f-qqgm-c34q" - }, - "1005018": { - "findings": [ - { - "version": "0.15.3", - "paths": [ - ".>axios" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.21.1", - "module_name": "axios", - "severity": "high", - "github_advisory_id": "GHSA-cph5-m8f7-6c5x", - "cves": [ - "CVE-2021-3749" - ], - "access": "public", - "patched_versions": ">=0.21.2", - "updated": "2021-09-08T16:46:47.000Z", - "recommendation": "Upgrade to version 0.21.2 or later", - "cwe": "CWE-697", - "found_by": null, - "deleted": null, - "id": 1005018, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3749\n- https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929\n- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31\n- https://www.npmjs.com/package/axios\n- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-cph5-m8f7-6c5x", - "created": "2021-11-18T16:00:48.489Z", - "reported_by": null, - "title": "Incorrect Comparison in axios", - "npm_advisory_id": null, - "overview": "axios is vulnerable to Inefficient Regular Expression Complexity", - "url": "https://github.com/advisories/GHSA-cph5-m8f7-6c5x" - }, - "1005040": { - "findings": [ - { - "version": "4.4.15", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>tar" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.4.18", - "module_name": "tar", - "severity": "high", - "github_advisory_id": "GHSA-5955-9wpr-37jh", - "cves": [ - "CVE-2021-37713" - ], - "access": "public", - "patched_versions": ">=4.4.18", - "updated": "2021-08-31T16:02:33.000Z", - "recommendation": "Upgrade to version 4.4.18 or later", - "cwe": "CWE-22", - "found_by": null, - "deleted": null, - "id": 1005040, - "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37713\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://github.com/advisories/GHSA-5955-9wpr-37jh", - "created": "2021-11-18T16:00:48.492Z", - "reported_by": null, - "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", - "npm_advisory_id": null, - "overview": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory.\n\nThis logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory.\n\nAdditionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path.\n\nThis only affects users of `node-tar` on Windows systems.\n\n### Patches\n\n4.4.18 || 5.0.10 || 6.1.9\n\n### Workarounds\n\nThere is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.\n\nUsers are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.\n\n### Fix\n\nThe fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not \"absolute\".\n\nAdditionally, a path starting with a drive letter and then two dots, like `c:../`, would bypass the check for `..` path portions. This is checked properly in the patched versions.\n\nFinally, a defense in depth check is added, such that if the `entry.absolute` is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.\n", - "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh" - }, - "1005043": { - "findings": [ - { - "version": "4.4.15", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>tar" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.4.18", - "module_name": "tar", - "severity": "high", - "github_advisory_id": "GHSA-qq89-hq3f-393p", - "cves": [ - "CVE-2021-37712" - ], - "access": "public", - "patched_versions": ">=4.4.18", - "updated": "2021-08-31T16:02:05.000Z", - "recommendation": "Upgrade to version 4.4.18 or later", - "cwe": "CWE-22", - "found_by": null, - "deleted": null, - "id": 1005043, - "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37712\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://github.com/advisories/GHSA-qq89-hq3f-393p", - "created": "2021-11-18T16:00:48.493Z", - "reported_by": null, - "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", - "npm_advisory_id": null, - "overview": "### Impact\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n6.1.9 || 5.0.10 || 4.4.18\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n#### Fix\n\nThe problem is addressed in the following ways, when comparing paths in the directory cache and path reservation systems:\n\n1. The `String.normalize('NFKD')` method is used to first normalize all unicode to its maximally compatible and multi-code-point form.\n2. All slashes are normalized to `/` on Windows systems (on posix systems, `\\` is a valid filename character, and thus left intact).\n3. When a symbolic link is encountered on Windows systems, the entire directory cache is cleared. Collisions related to use of 8.3 short names to replace directories with other (non-symlink) types of entries may make archives fail to extract properly, but will not result in arbitrary file writes.\n", - "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p" - }, - "1005046": { - "findings": [ - { - "version": "4.4.15", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>tar" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.4.16", - "module_name": "tar", - "severity": "high", - "github_advisory_id": "GHSA-9r2w-394v-53qc", - "cves": [ - "CVE-2021-37701" - ], - "access": "public", - "patched_versions": ">=4.4.16", - "updated": "2021-08-31T16:01:51.000Z", - "recommendation": "Upgrade to version 4.4.16 or later", - "cwe": "CWE-22", - "found_by": null, - "deleted": null, - "id": 1005046, - "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37701\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://github.com/advisories/GHSA-9r2w-394v-53qc", - "created": "2021-11-18T16:00:48.493Z", - "reported_by": null, - "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", - "npm_advisory_id": null, - "overview": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar's API will now always use `/` as a path separator, even on Windows systems. This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.", - "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc" - }, - "1005062": { - "findings": [ - { - "version": "3.0.0", - "paths": [ - ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<5.0.0", - "module_name": "pac-resolver", - "severity": "high", - "github_advisory_id": "GHSA-9j49-mfvp-vmhm", - "cves": [ - "CVE-2021-23406" - ], - "access": "public", - "patched_versions": ">=5.0.0", - "updated": "2021-08-25T19:28:31.000Z", - "recommendation": "Upgrade to version 5.0.0 or later", - "cwe": "CWE-94", - "found_by": null, - "deleted": null, - "id": 1005062, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23406\n- https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e\n- https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5\n- https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506\n- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857\n- https://github.com/advisories/GHSA-9j49-mfvp-vmhm", - "created": "2021-11-18T16:00:48.495Z", - "reported_by": null, - "title": "Code Injection in pac-resolver", - "npm_advisory_id": null, - "overview": "This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.", - "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" - }, - "1005084": { - "findings": [ - { - "version": "1.4.7", - "paths": [ - ".>karma>log4js>amqplib>url-parse" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.5.2", - "module_name": "url-parse", - "severity": "moderate", - "github_advisory_id": "GHSA-hh27-ffr2-f2jc", - "cves": [ - "CVE-2021-3664" - ], - "access": "public", - "patched_versions": ">=1.5.2", - "updated": "2021-08-02T21:28:22.000Z", - "recommendation": "Upgrade to version 1.5.2 or later", - "cwe": "CWE-601", - "found_by": null, - "deleted": null, - "id": 1005084, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3664\n- https://github.com/unshiftio/url-parse/issues/205\n- https://github.com/unshiftio/url-parse/issues/206\n- https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0\n- https://huntr.dev/bounties/1625557993985-unshiftio/url-parse\n- https://github.com/advisories/GHSA-hh27-ffr2-f2jc", - "created": "2021-11-18T16:00:48.498Z", - "reported_by": null, - "title": "Open redirect in url-parse", - "npm_advisory_id": null, - "overview": "# Overview\n\nAffected versions of npm `url-parse` are vulnerable to URL Redirection to Untrusted Site.\n\n# Impact\n\nDepending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.", - "url": "https://github.com/advisories/GHSA-hh27-ffr2-f2jc" - }, - "1005107": { - "findings": [ - { - "version": "3.1.3", - "paths": [ - ".>karma>socket.io>socket.io-parser" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<3.3.2", - "module_name": "socket.io-parser", - "severity": "high", - "github_advisory_id": "GHSA-xfhh-g9f5-x4m4", - "cves": [ - "CVE-2020-36049" - ], - "access": "public", - "patched_versions": ">=3.3.2", - "updated": "2021-06-30T16:54:43.000Z", - "recommendation": "Upgrade to version 3.3.2 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1005107, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-36049\n- https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55\n- https://blog.caller.xyz/socketio-engineio-dos/\n- https://github.com/bcaller/kill-engine-io\n- https://github.com/socketio/socket.io-parser/releases/tag/3.3.2\n- https://github.com/socketio/socket.io-parser/releases/tag/3.4.1\n- https://www.npmjs.com/package/socket.io-parser\n- https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", - "created": "2021-11-18T16:00:48.501Z", - "reported_by": null, - "title": "Resource exhaustion in socket.io-parser", - "npm_advisory_id": null, - "overview": "The `socket.io-parser` npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", - "url": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4" - }, - "1005175": { - "findings": [ - { - "version": "1.5.5", - "paths": [ - ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.6.1", - "module_name": "xmlhttprequest-ssl", - "severity": "critical", - "github_advisory_id": "GHSA-72mh-269x-7mh5", - "cves": [ - "CVE-2021-31597" - ], - "access": "public", - "patched_versions": ">=1.6.1", - "updated": "2021-05-20T21:59:29.000Z", - "recommendation": "Upgrade to version 1.6.1 or later", - "cwe": "CWE-295", - "found_by": null, - "deleted": null, - "id": 1005175, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-31597\n- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2\n- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1\n- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt\n- https://security.netapp.com/advisory/ntap-20210618-0004/\n- https://github.com/advisories/GHSA-72mh-269x-7mh5", - "created": "2021-11-18T16:00:48.519Z", - "reported_by": null, - "title": "Improper Certificate Validation in xmlhttprequest-ssl", - "npm_advisory_id": null, - "overview": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", - "url": "https://github.com/advisories/GHSA-72mh-269x-7mh5" - }, - "1005260": { - "findings": [ - { - "version": "1.5.5", - "paths": [ - ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.6.2", - "module_name": "xmlhttprequest-ssl", - "severity": "high", - "github_advisory_id": "GHSA-h4j5-c7cj-74xg", - "cves": [ - "CVE-2020-28502" - ], - "access": "public", - "patched_versions": ">=1.6.2", - "updated": "2021-05-04T18:00:49.000Z", - "recommendation": "Upgrade to version 1.6.2 or later", - "cwe": "CWE-94", - "found_by": null, - "deleted": null, - "id": 1005260, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28502\n- https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6\n- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480\n- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480\n- https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938\n- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935\n- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936\n- https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291\n- https://github.com/advisories/GHSA-h4j5-c7cj-74xg", - "created": "2021-11-18T16:00:48.526Z", - "reported_by": null, - "title": "Arbitrary Code Injection", - "npm_advisory_id": null, - "overview": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", - "url": "https://github.com/advisories/GHSA-h4j5-c7cj-74xg" - }, - "1005277": { - "findings": [ - { - "version": "2.8.0", - "paths": [ - ".>karma>log4js>redis" - ] - } - ], - "metadata": null, - "vulnerable_versions": ">=2.6.0 <3.1.1", - "module_name": "redis", - "severity": "low", - "github_advisory_id": "GHSA-35q2-47q7-3pc3", - "cves": [ - "CVE-2021-29469" - ], - "access": "public", - "patched_versions": ">=3.1.1", - "updated": "2021-04-23T18:11:39.000Z", - "recommendation": "Upgrade to version 3.1.1 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1005277, - "references": "- https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29469\n- https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e\n- https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1\n- https://security.netapp.com/advisory/ntap-20210611-0010/\n- https://github.com/advisories/GHSA-35q2-47q7-3pc3", - "created": "2021-11-18T16:00:48.528Z", - "reported_by": null, - "title": "Potential exponential regex in monitor mode", - "npm_advisory_id": null, - "overview": "### Impact\nWhen a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.\n\n### Patches\nThe problem was fixed in commit [`2d11b6d`](https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e) and was released in version `3.1.1`.\n\n### References\n#1569 (GHSL-2021-026)", - "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3" - }, - "1005307": { - "findings": [ - { - "version": "2.7.2", - "paths": [ - ".>karma>log4js>nodemailer" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.4.16", - "module_name": "nodemailer", - "severity": "critical", - "github_advisory_id": "GHSA-48ww-j4fc-435p", - "cves": [ - "CVE-2020-7769" - ], - "access": "public", - "patched_versions": ">=6.4.16", - "updated": "2021-04-19T22:42:20.000Z", - "recommendation": "Upgrade to version 6.4.16 or later", - "cwe": "CWE-88", - "found_by": null, - "deleted": null, - "id": 1005307, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-7769\n- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54\n- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742\n- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834\n- https://www.npmjs.com/package/nodemailer\n- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75\n- https://github.com/advisories/GHSA-48ww-j4fc-435p", - "created": "2021-11-18T16:00:48.531Z", - "reported_by": null, - "title": "Command injection in nodemailer", - "npm_advisory_id": null, - "overview": "This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.", - "url": "https://github.com/advisories/GHSA-48ww-j4fc-435p" - }, - "1005367": { - "findings": [ - { - "version": "1.7.0", - "paths": [ - ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore" - ] - } - ], - "metadata": null, - "vulnerable_versions": ">=1.3.2 <1.12.1", - "module_name": "underscore", - "severity": "high", - "github_advisory_id": "GHSA-cf4h-3jhx-xvhq", - "cves": [ - "CVE-2021-23358" - ], - "access": "public", - "patched_versions": ">=1.12.1", - "updated": "2021-03-31T21:59:01.000Z", - "recommendation": "Upgrade to version 1.12.1 or later", - "cwe": "CWE-94", - "found_by": null, - "deleted": null, - "id": 1005367, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\n- https://github.com/jashkenas/underscore/pull/2917\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\n- https://www.npmjs.com/package/underscore\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\n- https://www.debian.org/security/2021/dsa-4883\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\n- https://www.tenable.com/security/tns-2021-14\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", - "created": "2021-11-18T16:00:48.535Z", - "reported_by": null, - "title": "Arbitrary Code Execution in underscore", - "npm_advisory_id": null, - "overview": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", - "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq" - }, - "1005392": { - "findings": [ - { - "version": "1.0.6", - "paths": [ - ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<2.0.1", - "module_name": "netmask", - "severity": "moderate", - "github_advisory_id": "GHSA-pch5-whg9-qr2r", - "cves": [ - "CVE-2021-29418" - ], - "access": "public", - "patched_versions": ">=2.0.1", - "updated": "2021-03-29T21:31:25.000Z", - "recommendation": "Upgrade to version 2.0.1 or later", - "cwe": "CWE-20", - "found_by": null, - "deleted": null, - "id": 1005392, - "references": "- https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4\n- https://sick.codes/sick-2021-011\n- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/\n- https://www.npmjs.com/package/netmask\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29418\n- https://vuln.ryotak.me/advisories/6\n- https://security.netapp.com/advisory/ntap-20210604-0001/\n- https://github.com/advisories/GHSA-pch5-whg9-qr2r", - "created": "2021-11-18T16:00:48.537Z", - "reported_by": null, - "title": "netmask npm package vulnerable to octal input data", - "npm_advisory_id": null, - "overview": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.", - "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r" - }, - "1005404": { - "findings": [ - { - "version": "1.4.7", - "paths": [ - ".>karma>log4js>amqplib>url-parse" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.5.0", - "module_name": "url-parse", - "severity": "high", - "github_advisory_id": "GHSA-9m6j-fcg5-2442", - "cves": [ - "CVE-2021-27515" - ], - "access": "public", - "patched_versions": ">=1.5.0", - "updated": "2021-03-22T21:04:52.000Z", - "recommendation": "Upgrade to version 1.5.0 or later", - "cwe": "CWE-23", - "found_by": null, - "deleted": null, - "id": 1005404, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-27515\n- https://github.com/unshiftio/url-parse/pull/197\n- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0\n- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0\n- https://advisory.checkmarx.net/advisory/CX-2021-4306\n- https://github.com/advisories/GHSA-9m6j-fcg5-2442", - "created": "2021-11-18T16:00:48.538Z", - "reported_by": null, - "title": "Path traversal in url-parse", - "npm_advisory_id": null, - "overview": "url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path.", - "url": "https://github.com/advisories/GHSA-9m6j-fcg5-2442" - }, - "1005490": { - "findings": [ - { - "version": "2.0.4", - "paths": [ - ".>karma>socket.io" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<2.4.0", - "module_name": "socket.io", - "severity": "moderate", - "github_advisory_id": "GHSA-fxwf-4rqh-v8g3", - "cves": [ - "CVE-2020-28481" - ], - "access": "public", - "patched_versions": ">=2.4.0", - "updated": "2021-01-20T05:39:25.000Z", - "recommendation": "Upgrade to version 2.4.0 or later", - "cwe": "CWE-346", - "found_by": null, - "deleted": null, - "id": 1005490, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28481\n- https://github.com/socketio/socket.io/issues/3671\n- https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357\n- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859\n- https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", - "created": "2021-11-18T16:00:48.545Z", - "reported_by": null, - "title": "Insecure defaults due to CORS misconfiguration in socket.io", - "npm_advisory_id": null, - "overview": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", - "url": "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3" - }, - "1005506": { - "findings": [ - { - "version": "0.15.3", - "paths": [ - ".>axios" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<0.21.1", - "module_name": "axios", - "severity": "high", - "github_advisory_id": "GHSA-4w2v-q235-vp99", - "cves": [ - "CVE-2020-28168" - ], - "access": "public", - "patched_versions": ">=0.21.1", - "updated": "2021-01-04T20:58:17.000Z", - "recommendation": "Upgrade to version 0.21.1 or later", - "cwe": "CWE-918", - "found_by": null, - "deleted": null, - "id": 1005506, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28168\n- https://github.com/axios/axios/issues/3369\n- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55\n- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255\n- https://www.npmjs.com/package/axios\n- https://www.npmjs.com/advisories/1594\n- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-4w2v-q235-vp99", - "created": "2021-11-18T16:00:48.546Z", - "reported_by": null, - "title": "Server-Side Request Forgery in Axios", - "npm_advisory_id": null, - "overview": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.", - "url": "https://github.com/advisories/GHSA-4w2v-q235-vp99" - }, - "1005563": { - "findings": [ - { - "version": "1.1.2", - "paths": [ - ".>karma>log4js>loggly>request>bl" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.2.3", - "module_name": "bl", - "severity": "high", - "github_advisory_id": "GHSA-pp7h-53gx-mx7r", - "cves": [ - "CVE-2020-8244" - ], - "access": "public", - "patched_versions": ">=1.2.3", - "updated": "2020-09-08T19:01:38.000Z", - "recommendation": "Upgrade to version 1.2.3 or later", - "cwe": "CWE-125", - "found_by": null, - "deleted": null, - "id": 1005563, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-8244\n- https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e\n- https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190\n- https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466\n- https://hackerone.com/reports/966347\n- https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "created": "2021-11-18T16:00:48.550Z", - "reported_by": null, - "title": "Remote Memory Exposure in bl", - "npm_advisory_id": null, - "overview": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r" - }, - "1005586": { - "findings": [ - { - "version": "1.18.0", - "paths": [ - ".>karma>http-proxy" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.18.1", - "module_name": "http-proxy", - "severity": "high", - "github_advisory_id": "GHSA-6x33-pw7p-hmpq", - "cves": [], - "access": "public", - "patched_versions": ">=1.18.1", - "updated": "2020-08-31T19:01:07.000Z", - "recommendation": "Upgrade to version 1.18.1 or later", - "cwe": "", - "found_by": null, - "deleted": null, - "id": 1005586, - "references": "- https://github.com/http-party/node-http-proxy/pull/1447/files\n- https://www.npmjs.com/advisories/1486\n- https://github.com/advisories/GHSA-6x33-pw7p-hmpq", - "created": "2021-11-18T16:00:48.552Z", - "reported_by": null, - "title": "Denial of Service in http-proxy", - "npm_advisory_id": null, - "overview": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function. \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception: \n```curl -XPOST http://localhost:3000 -d \"$(python -c 'print(\"x\"*1025)')\"```\n\n\n## Recommendation\n\nUpgrade to version 1.18.1 or later", - "url": "https://github.com/advisories/GHSA-6x33-pw7p-hmpq" - }, - "1005745": { - "findings": [ - { - "version": "2.3.0", - "paths": [ - ".>karma>log4js>loggly>timespan" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=2.3.0", - "module_name": "timespan", - "severity": "low", - "github_advisory_id": "GHSA-f523-2f5j-gfcg", - "cves": [ - "CVE-2017-16115" - ], - "access": "public", - "patched_versions": "<0.0.0", - "updated": "2020-08-31T18:26:45.000Z", - "recommendation": "None", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1005745, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16115\n- https://github.com/indexzero/TimeSpan.js/issues/10\n- https://github.com/advisories/GHSA-f523-2f5j-gfcg\n- https://www.npmjs.com/advisories/533\n- https://nodesecurity.io/advisories/533", - "created": "2021-11-18T16:00:48.567Z", - "reported_by": null, - "title": "Regular Expression Denial of Service in timespan", - "npm_advisory_id": null, - "overview": "Affected versions of `timespan` are vulnerable to a regular expression denial of service when parsing dates.\n\nThe amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.\n\n\n## Recommendation\n\nNo direct patch is available for this vulnerability.\n\nCurrently, the best available solution is to use a functionally equivalent alternative package.\n\nIt is also sufficient to ensure that user input is not being passed into `timespan`, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.", - "url": "https://github.com/advisories/GHSA-f523-2f5j-gfcg" - }, - "1005902": { - "findings": [ - { - "version": "0.6.2", - "paths": [ - ".>sync-exec" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.6.2", - "module_name": "sync-exec", - "severity": "moderate", - "github_advisory_id": "GHSA-38h8-x697-gh8q", - "cves": [ - "CVE-2017-16024" - ], - "access": "public", - "patched_versions": "<0.0.0", - "updated": "2020-08-31T18:18:48.000Z", - "recommendation": "None", - "cwe": "CWE-377", - "found_by": null, - "deleted": null, - "id": 1005902, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16024\n- https://github.com/gvarsanyi/sync-exec/issues/17\n- https://cwe.mitre.org/data/definitions/377.html\n- https://github.com/advisories/GHSA-38h8-x697-gh8q\n- https://www.npmjs.com/advisories/310\n- https://nodesecurity.io/advisories/310\n- https://www.owasp.org/index.php/Insecure_Temporary_File", - "created": "2021-11-18T16:00:48.581Z", - "reported_by": null, - "title": "Tmp files readable by other users in sync-exec", - "npm_advisory_id": null, - "overview": "Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user.\n\n\n## Recommendation\n\nThere is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. \n\nThe best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.", - "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q" - }, - "1006110": { - "findings": [ - { - "version": "6.0.2", - "paths": [ - ".>karma>chokidar>anymatch>micromatch>kind-of" - ] - } - ], - "metadata": null, - "vulnerable_versions": ">=6.0.0 <6.0.3", - "module_name": "kind-of", - "severity": "high", - "github_advisory_id": "GHSA-6c8f-qphg-qjgp", - "cves": [ - "CVE-2019-20149" - ], - "access": "public", - "patched_versions": ">=6.0.3", - "updated": "2020-07-01T18:33:47.000Z", - "recommendation": "Upgrade to version 6.0.3 or later", - "cwe": "CWE-668", - "found_by": null, - "deleted": null, - "id": 1006110, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-20149\n- https://github.com/jonschlinkert/kind-of/issues/30\n- https://github.com/jonschlinkert/kind-of/pull/31\n- https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b\n- https://snyk.io/vuln/SNYK-JS-KINDOF-537849\n- https://www.npmjs.com/advisories/1490\n- https://github.com/advisories/GHSA-6c8f-qphg-qjgp", - "created": "2021-11-18T16:00:48.599Z", - "reported_by": null, - "title": "Validation Bypass in kind-of", - "npm_advisory_id": null, - "overview": "Versions of `kind-of` 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation. \n\n\n## Recommendation\n\nUpgrade to versions 6.0.3 or later.", - "url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp" - }, - "1006180": { - "findings": [ - { - "version": "0.0.8", - "paths": [ - ".>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist" - ] - }, - { - "version": "0.0.10", - "paths": [ - ".>karma>optimist>minimist" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<0.2.1", - "module_name": "minimist", - "severity": "moderate", - "github_advisory_id": "GHSA-vh95-rmgr-6w4m", - "cves": [ - "CVE-2020-7598" - ], - "access": "public", - "patched_versions": ">=0.2.1", - "updated": "2020-04-03T21:42:10.000Z", - "recommendation": "Upgrade to version 0.2.1 or later", - "cwe": "CWE-915", - "found_by": null, - "deleted": null, - "id": 1006180, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-7598\n- https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab\n- https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html\n- https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95\n- https://www.npmjs.com/advisories/1179\n- https://github.com/advisories/GHSA-vh95-rmgr-6w4m", - "created": "2021-11-18T16:00:48.604Z", - "reported_by": null, - "title": "Prototype Pollution in minimist", - "npm_advisory_id": null, - "overview": "Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n\n\n\n## Recommendation\n\nUpgrade to versions 0.2.1, 1.2.3 or later.", - "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" - }, - "1006342": { - "findings": [ - { - "version": "0.1.5", - "paths": [ - ".>karma>expand-braces>braces" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<2.3.1", - "module_name": "braces", - "severity": "low", - "github_advisory_id": "GHSA-g95f-p29q-9xw4", - "cves": [], - "access": "public", - "patched_versions": ">=2.3.1", - "updated": "2019-06-06T09:40:52.000Z", - "recommendation": "Upgrade to version 2.3.1 or later", - "cwe": "CWE-185", - "found_by": null, - "deleted": null, - "id": 1006342, - "references": "- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://www.npmjs.com/advisories/786\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-g95f-p29q-9xw4", - "created": "2021-11-18T16:00:48.617Z", - "reported_by": null, - "title": "Regular Expression Denial of Service in braces", - "npm_advisory_id": null, - "overview": "Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 2.3.1 or higher.", - "url": "https://github.com/advisories/GHSA-g95f-p29q-9xw4" - }, - "1006349": { - "findings": [ - { - "version": "0.15.3", - "paths": [ - ".>axios" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.18.0", - "module_name": "axios", - "severity": "high", - "github_advisory_id": "GHSA-42xw-2xvc-qx8m", - "cves": [ - "CVE-2019-10742" - ], - "access": "public", - "patched_versions": ">=0.18.1", - "updated": "2019-06-05T16:22:11.000Z", - "recommendation": "Upgrade to version 0.18.1 or later", - "cwe": "CWE-20", - "found_by": null, - "deleted": null, - "id": 1006349, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-10742\n- https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://github.com/axios/axios/issues/1098\n- https://github.com/axios/axios/pull/1485\n- https://snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://www.npmjs.com/advisories/880\n- https://github.com/advisories/GHSA-42xw-2xvc-qx8m", - "created": "2021-11-18T16:00:48.617Z", - "reported_by": null, - "title": "Denial of Service in axios", - "npm_advisory_id": null, - "overview": "Versions of `axios` prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the `maxContentLength` property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to 0.18.1 or later.", - "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m" - }, - "1006373": { - "findings": [ - { - "version": "0.4.3", - "paths": [ - ".>karma>log4js>loggly>request>tunnel-agent" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<0.6.0", - "module_name": "tunnel-agent", - "severity": "moderate", - "github_advisory_id": "GHSA-xc7v-wxcw-j472", - "cves": [], - "access": "public", - "patched_versions": ">=0.6.0", - "updated": "2019-06-03T17:08:06.000Z", - "recommendation": "Upgrade to version 0.6.0 or later", - "cwe": "CWE-200", - "found_by": null, - "deleted": null, - "id": 1006373, - "references": "- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472", - "created": "2021-11-18T16:00:48.619Z", - "reported_by": null, - "title": "Memory Exposure in tunnel-agent", - "npm_advisory_id": null, - "overview": "Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n method: 'GET',\n uri: 'http://www.example.com',\n tunnel: true,\n proxy:{\n protocol: 'http:',\n host:'127.0.0.1',\n port:8080,\n auth:USERSUPPLIEDINPUT // number\n }\n});\n```\n\n\n## Recommendation\n\nUpdate to version 0.6.0 or later.", - "url": "https://github.com/advisories/GHSA-xc7v-wxcw-j472" - }, - "1006603": { - "findings": [ - { - "version": "2.0.5", - "paths": [ - ".>karma>log4js>loggly>request>hawk>cryptiles" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.1.2", - "module_name": "cryptiles", - "severity": "critical", - "github_advisory_id": "GHSA-rq8g-5pc5-wrhr", - "cves": [ - "CVE-2018-1000620" - ], - "access": "public", - "patched_versions": ">=4.1.2", - "updated": "2018-09-11T18:22:44.000Z", - "recommendation": "Upgrade to version 4.1.2 or later", - "cwe": "CWE-331", - "found_by": null, - "deleted": null, - "id": 1006603, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-1000620\n- https://github.com/hapijs/cryptiles/issues/34\n- https://github.com/advisories/GHSA-rq8g-5pc5-wrhr\n- https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json\n- https://www.npmjs.com/advisories/720\n- https://www.npmjs.com/advisories/1464", - "created": "2021-11-18T16:00:48.639Z", - "reported_by": null, - "title": "Insufficient Entropy in cryptiles", - "npm_advisory_id": null, - "overview": "Versions of `cryptiles` prior to 4.1.2 are vulnerable to Insufficient Entropy. The `randomDigits()` method does not provide sufficient entropy and its generates digits that are not evenly distributed.\n\n\n## Recommendation\n\nUpgrade to version 4.1.2. The package is deprecated and has been moved to `@hapi/cryptiles` and it is strongly recommended to use the maintained package.", - "url": "https://github.com/advisories/GHSA-rq8g-5pc5-wrhr" - }, - "1006659": { - "findings": [ - { - "version": "2.16.3", - "paths": [ - ".>karma>log4js>loggly>request>hawk>hoek" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.2.1", - "module_name": "hoek", - "severity": "moderate", - "github_advisory_id": "GHSA-jp4x-w63m-7wgm", - "cves": [ - "CVE-2018-3728" - ], - "access": "public", - "patched_versions": ">=4.2.1", - "updated": "2018-04-27T13:38:53.000Z", - "recommendation": "Upgrade to version 4.2.1 or later", - "cwe": "CWE-471", - "found_by": null, - "deleted": null, - "id": 1006659, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3728\n- https://hackerone.com/reports/310439\n- https://github.com/advisories/GHSA-jp4x-w63m-7wgm\n- https://www.npmjs.com/advisories/566\n- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee\n- https://access.redhat.com/errata/RHSA-2018:1263\n- https://access.redhat.com/errata/RHSA-2018:1264\n- https://nodesecurity.io/advisories/566\n- https://snyk.io/vuln/npm:hoek:20180212\n- http://www.securityfocus.com/bid/103108", - "created": "2021-11-18T16:00:48.643Z", - "reported_by": null, - "title": "Prototype Pollution in hoek", - "npm_advisory_id": null, - "overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.\n\n\n## Recommendation\n\nUpdate to version 4.2.1, 5.0.3 or later.", - "url": "https://github.com/advisories/GHSA-jp4x-w63m-7wgm" - }, - "1006724": { - "findings": [ - { - "version": "0.2.3", - "paths": [ - ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<0.4.0", - "module_name": "json-schema", - "severity": "moderate", - "github_advisory_id": "GHSA-896r-f27r-55mw", - "cves": [ - "CVE-2021-3918" - ], - "access": "public", - "patched_versions": ">=0.4.0", - "updated": "2021-11-15T22:44:28.000Z", - "recommendation": "Upgrade to version 0.4.0 or later", - "cwe": "CWE-915", - "found_by": null, - "deleted": null, - "id": 1006724, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://github.com/advisories/GHSA-896r-f27r-55mw", - "created": "2021-11-19T21:00:41.916Z", - "reported_by": null, - "title": "json-schema is vulnerable to Prototype Pollution", - "npm_advisory_id": null, - "overview": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", - "url": "https://github.com/advisories/GHSA-896r-f27r-55mw" - }, - "1006788": { - "findings": [ - { - "version": "2.7.2", - "paths": [ - ".>karma>log4js>nodemailer" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.6.1", - "module_name": "nodemailer", - "severity": "moderate", - "github_advisory_id": "GHSA-hwqf-gcqm-7353", - "cves": [ - "CVE-2021-23400" - ], - "access": "public", - "patched_versions": ">=6.6.1", - "updated": "2021-06-30T17:38:02.000Z", - "recommendation": "Upgrade to version 6.6.1 or later", - "cwe": "CWE-74", - "found_by": null, - "deleted": null, - "id": 1006788, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23400\n- https://github.com/nodemailer/nodemailer/issues/1289\n- https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737\n- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415\n- https://github.com/advisories/GHSA-hwqf-gcqm-7353", - "created": "2021-12-10T19:00:45.984Z", - "reported_by": null, - "title": "Header injection in nodemailer", - "npm_advisory_id": null, - "overview": "The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.", - "url": "https://github.com/advisories/GHSA-hwqf-gcqm-7353" - }, - "1006822": { - "findings": [ - { - "version": "1.0.6", - "paths": [ - ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.1.0", - "module_name": "netmask", - "severity": "critical", - "github_advisory_id": "GHSA-4c7m-wxvm-r7gc", - "cves": [ - "CVE-2021-28918" - ], - "access": "public", - "patched_versions": ">=1.1.0", - "updated": "2021-04-13T16:13:23.000Z", - "recommendation": "Upgrade to version 1.1.0 or later", - "cwe": "CWE-20", - "found_by": null, - "deleted": null, - "id": 1006822, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-28918\n- https://github.com/rs/node-netmask/blob/98294cb20695f2c6c36219a4fbcd4744fb8d0682/CHANGELOG.md#v110-mar-18-2021\n- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md\n- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/\n- https://www.npmjs.com/package/netmask\n- https://github.com/advisories/GHSA-pch5-whg9-qr2r\n- https://security.netapp.com/advisory/ntap-20210528-0010/\n- https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/\n- https://github.com/advisories/GHSA-4c7m-wxvm-r7gc", - "created": "2022-01-04T20:00:43.966Z", - "reported_by": null, - "title": "Improper parsing of octal bytes in netmask", - "npm_advisory_id": null, - "overview": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.\n\n:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.", - "url": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc" - }, - "1006837": { - "findings": [ - { - "version": "0.1.5", - "paths": [ - ".>karma>expand-braces>braces" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<2.3.1", - "module_name": "braces", - "severity": "low", - "github_advisory_id": "GHSA-cwfw-4gq5-mrqx", - "cves": [ - "CVE-2018-1109" - ], - "access": "public", - "patched_versions": ">=2.3.1", - "updated": "2021-03-31T21:35:00.000Z", - "recommendation": "Upgrade to version 2.3.1 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006837, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-1109\n- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://bugzilla.redhat.com/show_bug.cgi?id=1547272\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-cwfw-4gq5-mrqx", - "created": "2022-01-06T21:00:43.096Z", - "reported_by": null, - "title": "Regular Expression Denial of Service (ReDoS) in braces", - "npm_advisory_id": null, - "overview": "A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "url": "https://github.com/advisories/GHSA-cwfw-4gq5-mrqx" - }, - "1006865": { - "findings": [ - { - "version": "1.0.0", - "paths": [ - ".>axios>follow-redirects" - ] - }, - { - "version": "1.9.0", - "paths": [ - ".>karma>http-proxy>follow-redirects" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.14.7", - "module_name": "follow-redirects", - "severity": "high", - "github_advisory_id": "GHSA-74fj-2j2h-c42q", - "cves": [ - "CVE-2022-0155" - ], - "access": "public", - "patched_versions": ">=1.14.7", - "updated": "2022-01-11T18:41:09.000Z", - "recommendation": "Upgrade to version 1.14.7 or later", - "cwe": "CWE-359", - "found_by": null, - "deleted": null, - "id": 1006865, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q", - "created": "2022-01-12T23:00:43.967Z", - "reported_by": null, + "follow-redirects": [ + { + "id": 1102323, + "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "title": "Exposure of sensitive information in follow-redirects", - "npm_advisory_id": null, - "overview": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor", - "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q" - }, - "1006902": { - "findings": [ - { - "version": "2.11.0", - "paths": [ - ".>karma>log4js" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.4.0", - "module_name": "log4js", - "severity": "moderate", - "github_advisory_id": "GHSA-82v2-mx6x-wq7q", - "cves": [ - "CVE-2022-21704" - ], - "access": "public", - "patched_versions": ">=6.4.0", - "updated": "2022-01-19T22:47:15.000Z", - "recommendation": "Upgrade to version 6.4.0 or later", - "cwe": "CWE-276", - "found_by": null, - "deleted": null, - "id": 1006902, - "references": "- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q", - "created": "2022-01-25T20:00:44.170Z", - "reported_by": null, - "title": "Incorrect Default Permissions in log4js", - "npm_advisory_id": null, - "overview": "### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @peteriman for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n", - "url": "https://github.com/advisories/GHSA-82v2-mx6x-wq7q" - }, - "1006947": { - "findings": [ - { - "version": "3.1.0", - "paths": [ - ".>karma>chokidar>glob-parent" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<5.1.2", - "module_name": "glob-parent", "severity": "high", - "github_advisory_id": "GHSA-ww39-953v-wcq6", - "cves": [ - "CVE-2020-28469" + "vulnerable_versions": "<1.14.7", + "cwe": [ + "CWE-359" ], - "access": "public", - "patched_versions": ">=5.1.2", - "updated": "2021-06-04T18:30:46.000Z", - "recommendation": "Upgrade to version 5.1.2 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006947, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-ww39-953v-wcq6", - "created": "2022-02-08T22:00:42.497Z", - "reported_by": null, - "title": "Regular expression denial of service", - "npm_advisory_id": null, - "overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", - "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6" + "cvss": { + "score": 8, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } }, - "1006948": { - "findings": [ - { - "version": "4.17.15", - "paths": [ - ".>karma>lodash" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.17.21", - "module_name": "lodash", - "severity": "high", - "github_advisory_id": "GHSA-35jh-r3h4-6jhm", - "cves": [ - "CVE-2021-23337" - ], - "access": "public", - "patched_versions": ">=4.17.21", - "updated": "2021-03-31T23:59:26.000Z", - "recommendation": "Upgrade to version 4.17.21 or later", - "cwe": "CWE-77", - "found_by": null, - "deleted": null, - "id": 1006948, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "created": "2022-02-08T22:00:42.498Z", - "reported_by": null, - "title": "Command Injection in lodash", - "npm_advisory_id": null, - "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - }, - "1006949": { - "findings": [ - { - "version": "4.17.15", - "paths": [ - ".>karma>lodash" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.17.21", - "module_name": "lodash", + { + "id": 1109569, + "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", + "title": "Follow Redirects improperly handles URLs in the url.parse() function", "severity": "moderate", - "github_advisory_id": "GHSA-29mw-wpgm-hmr9", - "cves": [ - "CVE-2020-28500" + "vulnerable_versions": "<1.15.4", + "cwe": [ + "CWE-20", + "CWE-601" ], - "access": "public", - "patched_versions": ">=4.17.21", - "updated": "2021-03-19T22:45:29.000Z", - "recommendation": "Upgrade to version 4.17.21 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006949, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9", - "created": "2022-02-08T22:00:42.498Z", - "reported_by": null, - "title": "Regular Expression Denial of Service (ReDoS) in lodash", - "npm_advisory_id": null, - "overview": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)", - "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" + "cvss": { + "score": 6.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } }, - "1006952": { - "findings": [ - { - "version": "4.17.15", - "paths": [ - ".>karma>lodash" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.17.19", - "module_name": "lodash", - "severity": "high", - "github_advisory_id": "GHSA-p6mc-m468-83gw", - "cves": [ - "CVE-2020-8203" - ], - "access": "public", - "patched_versions": ">=4.17.19", - "updated": "2020-07-15T19:15:01.000Z", - "recommendation": "Upgrade to version 4.17.19 or later", - "cwe": "CWE-770", - "found_by": null, - "deleted": null, - "id": 1006952, - "references": "- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw", - "created": "2022-02-08T23:00:41.860Z", - "reported_by": null, - "title": "Prototype Pollution in lodash", - "npm_advisory_id": null, - "overview": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.", - "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" - }, - "1006975": { - "findings": [ - { - "version": "3.1.5", - "paths": [ - ".>karma>socket.io>engine.io" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<4.0.0", - "module_name": "engine.io", - "severity": "high", - "github_advisory_id": "GHSA-j4f2-536g-r55m", - "cves": [ - "CVE-2020-36048" - ], - "access": "public", - "patched_versions": ">=4.0.0", - "updated": "2021-04-06T22:58:34.000Z", - "recommendation": "Upgrade to version 4.0.0 or later", - "cwe": "CWE-400", - "found_by": null, - "deleted": null, - "id": 1006975, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-36048\n- https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b\n- https://blog.caller.xyz/socketio-engineio-dos/\n- https://github.com/bcaller/kill-engine-io\n- https://github.com/advisories/GHSA-j4f2-536g-r55m", - "created": "2022-02-09T23:00:44.110Z", - "reported_by": null, - "title": "Resource exhaustion in engine.io ", - "npm_advisory_id": null, - "overview": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.", - "url": "https://github.com/advisories/GHSA-j4f2-536g-r55m" - }, - "1006997": { - "findings": [ - { - "version": "2.0.5", - "paths": [ - ".>karma" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.3.14", - "module_name": "karma", + { + "id": 1096856, + "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", + "title": "follow-redirects' Proxy-Authorization header kept across hosts", "severity": "moderate", - "github_advisory_id": "GHSA-7x7c-qm48-pq9c", - "cves": [ - "CVE-2022-0437" + "vulnerable_versions": "<=1.15.5", + "cwe": [ + "CWE-200" ], - "access": "public", - "patched_versions": ">=6.3.14", - "updated": "2022-02-07T21:57:21.000Z", - "recommendation": "Upgrade to version 6.3.14 or later", - "cwe": "CWE-79", - "found_by": null, - "deleted": null, - "id": 1006997, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0437\n- https://github.com/karma-runner/karma/commit/839578c45a8ac42fbc1d72105f97eab77dd3eb8a\n- https://huntr.dev/bounties/64b67ea1-5487-4382-a5f6-e8a95f798885\n- https://github.com/karma-runner/karma/releases/tag/v6.3.14\n- https://github.com/advisories/GHSA-7x7c-qm48-pq9c", - "created": "2022-02-11T00:00:43.705Z", - "reported_by": null, - "title": "Cross-site Scripting in karma", - "npm_advisory_id": null, - "overview": "karma prior to version 6.3.14 contains a cross-site scripting vulnerability.", - "url": "https://github.com/advisories/GHSA-7x7c-qm48-pq9c" + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } }, - "1007017": { - "findings": [ - { - "version": "6.10.2", - "paths": [ - ".>karma>log4js>hipchat-notifier>request>har-validator>ajv" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<6.12.3", - "module_name": "ajv", + { + "id": 1116560, + "url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653", + "title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets", "severity": "moderate", - "github_advisory_id": "GHSA-v88g-cgmw-v5xw", - "cves": [ - "CVE-2020-15366" + "vulnerable_versions": "<=1.15.11", + "cwe": [ + "CWE-200" ], - "access": "public", - "patched_versions": ">=6.12.3", - "updated": "2021-05-10T21:23:42.000Z", - "recommendation": "Upgrade to version 6.12.3 or later", - "cwe": "CWE-915", - "found_by": null, - "deleted": null, - "id": 1007017, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw", - "created": "2022-02-11T00:00:43.707Z", - "reported_by": null, - "title": "Prototype Pollution in Ajv", - "npm_advisory_id": null, - "overview": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", - "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw" + "cvss": { + "score": 0, + "vectorString": null + } }, - "1007026": { - "findings": [ - { - "version": "1.0.0", - "paths": [ - ".>axios>follow-redirects" - ] - }, - { - "version": "1.9.0", - "paths": [ - ".>karma>http-proxy>follow-redirects" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.14.8", - "module_name": "follow-redirects", - "severity": "moderate", - "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", - "cves": [ - "CVE-2022-0536" - ], - "access": "public", - "patched_versions": ">=1.14.8", - "updated": "2022-02-11T21:18:03.000Z", - "recommendation": "Upgrade to version 1.14.8 or later", - "cwe": "CWE-200", - "found_by": null, - "deleted": null, - "id": 1007026, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", - "created": "2022-02-14T23:00:43.878Z", - "reported_by": null, + { + "id": 1092623, + "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", - "npm_advisory_id": null, - "overview": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.", - "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c" - }, - "1007030": { - "findings": [ - { - "version": "1.4.7", - "paths": [ - ".>karma>log4js>amqplib>url-parse" - ] - } + "severity": "moderate", + "vulnerable_versions": "<1.14.8", + "cwe": [ + "CWE-200", + "CWE-212" ], - "metadata": null, - "vulnerable_versions": "<1.5.6", - "module_name": "url-parse", - "severity": "high", - "github_advisory_id": "GHSA-rqff-837h-mm52", - "cves": [ - "CVE-2022-0512" - ], - "access": "public", - "patched_versions": ">=1.5.6", - "updated": "2022-02-16T22:37:40.000Z", - "recommendation": "Upgrade to version 1.5.6 or later", - "cwe": "CWE-639", - "found_by": null, - "deleted": null, - "id": 1007030, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0512\n- https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40\n- https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b\n- https://github.com/advisories/GHSA-rqff-837h-mm52", - "created": "2022-02-17T14:00:45.711Z", - "reported_by": null, - "title": "Authorization bypass in url-parse", - "npm_advisory_id": null, - "overview": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.", - "url": "https://github.com/advisories/GHSA-rqff-837h-mm52" + "cvss": { + "score": 5.9, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 4, - "moderate": 17, - "high": 21, - "critical": 4 + ], + "debug": [ + { + "id": 1096792, + "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", + "title": "Regular Expression Denial of Service in debug", + "severity": "low", + "vulnerable_versions": ">=4.0.0 <4.3.1", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 3.7, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + } }, - "dependencies": 439, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 439 - } + { + "id": 1096793, + "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", + "title": "Regular Expression Denial of Service in debug", + "severity": "low", + "vulnerable_versions": ">=3.2.0 <3.2.7", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 3.7, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + } + ], + "karma": [ + { + "id": 1090418, + "url": "https://github.com/advisories/GHSA-rc3x-jf5g-xvc5", + "title": "Open redirect in karma", + "severity": "moderate", + "vulnerable_versions": "<6.3.16", + "cwe": [ + "CWE-601" + ], + "cvss": { + "score": 5.4, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + }, + { + "id": 1090439, + "url": "https://github.com/advisories/GHSA-7x7c-qm48-pq9c", + "title": "Cross-site Scripting in karma", + "severity": "moderate", + "vulnerable_versions": "<6.3.14", + "cwe": [ + "CWE-79" + ], + "cvss": { + "score": 6.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + } + ], + "body-parser": [ + { + "id": 1099520, + "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", + "title": "body-parser vulnerable to denial of service when url encoding is enabled", + "severity": "high", + "vulnerable_versions": "<1.20.3", + "cwe": [ + "CWE-405" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "qs": [ + { + "id": 1104115, + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", + "title": "qs vulnerable to Prototype Pollution", + "severity": "high", + "vulnerable_versions": "<6.2.4", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1104118, + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", + "title": "qs vulnerable to Prototype Pollution", + "severity": "high", + "vulnerable_versions": ">=6.5.0 <6.5.3", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1104120, + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", + "title": "qs vulnerable to Prototype Pollution", + "severity": "high", + "vulnerable_versions": ">=6.7.0 <6.7.3", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1113161, + "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", + "title": "qs's arrayLimit bypass in comma parsing allows denial of service", + "severity": "low", + "vulnerable_versions": ">=6.7.0 <=6.14.1", + "cwe": [ + "CWE-20" + ], + "cvss": { + "score": 3.7, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + }, + { + "id": 1113719, + "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", + "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", + "severity": "moderate", + "vulnerable_versions": "<6.14.1", + "cwe": [ + "CWE-20" + ], + "cvss": { + "score": 3.7, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + } + ], + "micromatch": [ + { + "id": 1098681, + "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", + "title": "Regular Expression Denial of Service (ReDoS) in micromatch", + "severity": "moderate", + "vulnerable_versions": "<4.0.8", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + } + ], + "kind-of": [ + { + "id": 1095056, + "url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp", + "title": "Validation Bypass in kind-of", + "severity": "high", + "vulnerable_versions": ">=6.0.0 <6.0.3", + "cwe": [ + "CWE-668" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + } + ], + "decode-uri-component": [ + { + "id": 1094087, + "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", + "title": "decode-uri-component vulnerable to Denial of Service (DoS)", + "severity": "high", + "vulnerable_versions": "<0.2.1", + "cwe": [ + "CWE-20" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "braces": [ + { + "id": 1098094, + "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", + "title": "Uncontrolled resource consumption in braces", + "severity": "high", + "vulnerable_versions": "<3.0.3", + "cwe": [ + "CWE-400", + "CWE-1050" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "fsevents": [ + { + "id": 1094997, + "url": "https://github.com/advisories/GHSA-8r6j-v8pm-fqw3", + "title": "Code injection in fsevents", + "severity": "critical", + "vulnerable_versions": "<=1.2.10", + "cwe": [ + "CWE-94" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1091853, + "url": "https://github.com/advisories/GHSA-xv2f-5jw4-v95m", + "title": "Malware in fsevents", + "severity": "critical", + "vulnerable_versions": ">=1.0.0 <1.2.11", + "cwe": [ + "CWE-506" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "minimist": [ + { + "id": 1097677, + "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "title": "Prototype Pollution in minimist", + "severity": "critical", + "vulnerable_versions": "<0.2.4", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1097678, + "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "title": "Prototype Pollution in minimist", + "severity": "critical", + "vulnerable_versions": ">=1.0.0 <1.2.6", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1096466, + "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", + "title": "Prototype Pollution in minimist", + "severity": "moderate", + "vulnerable_versions": "<0.2.1", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 5.6, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + } + ], + "semver": [ + { + "id": 1112918, + "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "title": "semver vulnerable to Regular Expression Denial of Service", + "severity": "high", + "vulnerable_versions": ">=2.0.0-alpha <5.7.2", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "tar": [ + { + "id": 1112659, + "url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v", + "title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal", + "severity": "high", + "vulnerable_versions": "<7.5.7", + "cwe": [ + "CWE-22", + "CWE-59" + ], + "cvss": { + "score": 8.2, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" + } + }, + { + "id": 1113300, + "url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97", + "title": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization", + "severity": "high", + "vulnerable_versions": "<=7.5.2", + "cwe": [ + "CWE-22" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1113375, + "url": "https://github.com/advisories/GHSA-83g3-92jg-28cx", + "title": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction", + "severity": "high", + "vulnerable_versions": "<7.5.8", + "cwe": [ + "CWE-22" + ], + "cvss": { + "score": 7.1, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" + } + }, + { + "id": 1114200, + "url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96", + "title": "tar has Hardlink Path Traversal via Drive-Relative Linkpath", + "severity": "high", + "vulnerable_versions": "<=7.5.9", + "cwe": [ + "CWE-22", + "CWE-59" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1114302, + "url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256", + "title": "node-tar Symlink Path Traversal via Drive-Relative Linkpath", + "severity": "high", + "vulnerable_versions": "<=7.5.10", + "cwe": [ + "CWE-22" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1114680, + "url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w", + "title": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS", + "severity": "high", + "vulnerable_versions": "<=7.5.3", + "cwe": [ + "CWE-176", + "CWE-367" + ], + "cvss": { + "score": 8.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" + } + }, + { + "id": 1095117, + "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", + "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "severity": "high", + "vulnerable_versions": "<4.4.18", + "cwe": [ + "CWE-22" + ], + "cvss": { + "score": 8.2, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" + } + }, + { + "id": 1097493, + "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", + "title": "Denial of service while parsing a tar file due to lack of folders count validation", + "severity": "moderate", + "vulnerable_versions": "<6.2.1", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1096376, + "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc", + "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", + "severity": "high", + "vulnerable_versions": ">=3.0.0 <4.4.16", + "cwe": [ + "CWE-22", + "CWE-59" + ], + "cvss": { + "score": 8.2, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" + } + }, + { + "id": 1096411, + "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p", + "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", + "severity": "high", + "vulnerable_versions": ">=3.0.0 <4.4.18", + "cwe": [ + "CWE-22", + "CWE-59" + ], + "cvss": { + "score": 8.2, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" + } + } + ], + "http-proxy": [ + { + "id": 1096334, + "url": "https://github.com/advisories/GHSA-6x33-pw7p-hmpq", + "title": "Denial of Service in http-proxy", + "severity": "high", + "vulnerable_versions": "<1.18.1", + "cwe": [ + "CWE-184", + "CWE-693" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "lodash": [ + { + "id": 1106913, + "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "title": "Command Injection in lodash", + "severity": "high", + "vulnerable_versions": "<4.17.21", + "cwe": [ + "CWE-77", + "CWE-94" + ], + "cvss": { + "score": 7.2, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1106920, + "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "title": "Prototype Pollution in lodash", + "severity": "high", + "vulnerable_versions": ">=3.7.0 <4.17.19", + "cwe": [ + "CWE-770", + "CWE-1321" + ], + "cvss": { + "score": 7.4, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + }, + { + "id": 1108258, + "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9", + "title": "Regular Expression Denial of Service (ReDoS) in lodash", + "severity": "moderate", + "vulnerable_versions": ">=4.0.0 <4.17.21", + "cwe": [ + "CWE-400", + "CWE-1333" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + }, + { + "id": 1112455, + "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", + "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", + "severity": "moderate", + "vulnerable_versions": ">=4.0.0 <=4.17.22", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + }, + { + "id": 1115806, + "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", + "title": "lodash vulnerable to Code Injection via `_.template` imports key names", + "severity": "high", + "vulnerable_versions": ">=4.0.0 <=4.17.23", + "cwe": [ + "CWE-94" + ], + "cvss": { + "score": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1115810, + "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", + "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", + "severity": "moderate", + "vulnerable_versions": "<=4.17.23", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + } + ], + "log4js": [ + { + "id": 1095531, + "url": "https://github.com/advisories/GHSA-82v2-mx6x-wq7q", + "title": "Incorrect Default Permissions in log4js", + "severity": "moderate", + "vulnerable_versions": "<6.4.0", + "cwe": [ + "CWE-276" + ], + "cvss": { + "score": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + } + ], + "url-parse": [ + { + "id": 1112827, + "url": "https://github.com/advisories/GHSA-hh27-ffr2-f2jc", + "title": "Open redirect in url-parse", + "severity": "moderate", + "vulnerable_versions": ">=0.1.0 <1.5.2", + "cwe": [ + "CWE-601" + ], + "cvss": { + "score": 6.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + }, + { + "id": 1112828, + "url": "https://github.com/advisories/GHSA-9m6j-fcg5-2442", + "title": "Path traversal in url-parse", + "severity": "moderate", + "vulnerable_versions": ">=0.1.0 <1.5.0", + "cwe": [ + "CWE-23" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + }, + { + "id": 1112829, + "url": "https://github.com/advisories/GHSA-jf5r-8hm2-f872", + "title": "url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.", + "severity": "moderate", + "vulnerable_versions": ">=0.1.0 <1.5.9", + "cwe": [ + "CWE-639" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + }, + { + "id": 1113394, + "url": "https://github.com/advisories/GHSA-8v38-pw62-9cw2", + "title": "url-parse Incorrectly parses URLs that include an '@'", + "severity": "moderate", + "vulnerable_versions": ">=1.0.0 <1.5.7", + "cwe": [ + "CWE-639" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + }, + { + "id": 1113395, + "url": "https://github.com/advisories/GHSA-rqff-837h-mm52", + "title": "Authorization bypass in url-parse", + "severity": "moderate", + "vulnerable_versions": ">=0.1.0 <1.5.6", + "cwe": [ + "CWE-639" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + }, + { + "id": 1095095, + "url": "https://github.com/advisories/GHSA-hgjh-723h-mx2j", + "title": "Authorization Bypass Through User-Controlled Key in url-parse", + "severity": "critical", + "vulnerable_versions": "<1.5.8", + "cwe": [ + "CWE-639" + ], + "cvss": { + "score": 9.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + } + ], + "request": [ + { + "id": 1096727, + "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "title": "Server-Side Request Forgery in Request", + "severity": "moderate", + "vulnerable_versions": "<=2.88.2", + "cwe": [ + "CWE-918" + ], + "cvss": { + "score": 6.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + } + ], + "form-data": [ + { + "id": 1109540, + "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", + "title": "form-data uses unsafe random function in form-data for choosing boundary", + "severity": "critical", + "vulnerable_versions": "<2.5.4", + "cwe": [ + "CWE-330" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "ajv": [ + { + "id": 1113714, + "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", + "title": "ajv has ReDoS when using `$data` option", + "severity": "moderate", + "vulnerable_versions": "<6.14.0", + "cwe": [ + "CWE-400", + "CWE-1333" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1097685, + "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw", + "title": "Prototype Pollution in Ajv", + "severity": "moderate", + "vulnerable_versions": "<6.12.3", + "cwe": [ + "CWE-915", + "CWE-1321" + ], + "cvss": { + "score": 5.6, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + } + ], + "json-schema": [ + { + "id": 1101855, + "url": "https://github.com/advisories/GHSA-896r-f27r-55mw", + "title": "json-schema is vulnerable to Prototype Pollution", + "severity": "critical", + "vulnerable_versions": "<0.4.0", + "cwe": [ + "CWE-915", + "CWE-1321" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + } + ], + "tough-cookie": [ + { + "id": 1097682, + "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", + "title": "tough-cookie Prototype Pollution vulnerability", + "severity": "moderate", + "vulnerable_versions": "<4.1.3", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + } + ], + "tunnel-agent": [ + { + "id": 1085744, + "url": "https://github.com/advisories/GHSA-xc7v-wxcw-j472", + "title": "Memory Exposure in tunnel-agent", + "severity": "moderate", + "vulnerable_versions": "<0.6.0", + "cwe": [ + "CWE-200" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "bl": [ + { + "id": 1090072, + "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", + "title": "Remote Memory Exposure in bl", + "severity": "moderate", + "vulnerable_versions": "<1.2.3", + "cwe": [ + "CWE-125", + "CWE-126" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" + } + } + ], + "jsonpointer": [ + { + "id": 1102906, + "url": "https://github.com/advisories/GHSA-282f-qqgm-c34q", + "title": "Prototype Pollution in node-jsonpointer", + "severity": "moderate", + "vulnerable_versions": "<5.0.0", + "cwe": [ + "CWE-843", + "CWE-1321" + ], + "cvss": { + "score": 5.6, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + } + ], + "hawk": [ + { + "id": 1095062, + "url": "https://github.com/advisories/GHSA-44pw-h2cw-w3vq", + "title": "Uncontrolled Resource Consumption in Hawk", + "severity": "high", + "vulnerable_versions": "<9.0.1", + "cwe": [ + "CWE-400", + "CWE-1333" + ], + "cvss": { + "score": 7.4, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H" + } + } + ], + "hoek": [ + { + "id": 1105092, + "url": "https://github.com/advisories/GHSA-c429-5p7v-vgjp", + "title": "hoek subject to prototype pollution via the clone function.", + "severity": "high", + "vulnerable_versions": "<=6.1.3", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1105121, + "url": "https://github.com/advisories/GHSA-jp4x-w63m-7wgm", + "title": "Prototype Pollution in hoek", + "severity": "high", + "vulnerable_versions": "<4.2.1", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 8.8, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + } + ], + "timespan": [ + { + "id": 1093858, + "url": "https://github.com/advisories/GHSA-f523-2f5j-gfcg", + "title": "Regular Expression Denial of Service in timespan", + "severity": "high", + "vulnerable_versions": "<=2.3.0", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "async": [ + { + "id": 1097691, + "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "title": "Prototype Pollution in async", + "severity": "high", + "vulnerable_versions": ">=2.0.0 <2.6.4", + "cwe": [ + "CWE-1321" + ], + "cvss": { + "score": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + } + ], + "pac-resolver": [ + { + "id": 1090384, + "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm", + "title": "Code Injection in pac-resolver", + "severity": "high", + "vulnerable_versions": "<5.0.0", + "cwe": [ + "CWE-94" + ], + "cvss": { + "score": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + } + ], + "degenerator": [ + { + "id": 1090403, + "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm", + "title": "Code Injection in pac-resolver", + "severity": "high", + "vulnerable_versions": "<3.0.1", + "cwe": [ + "CWE-94" + ], + "cvss": { + "score": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + } + ], + "word-wrap": [ + { + "id": 1102444, + "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", + "title": "word-wrap vulnerable to Regular Expression Denial of Service", + "severity": "moderate", + "vulnerable_versions": "<1.2.4", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + } + ], + "ip": [ + { + "id": 1101851, + "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", + "title": "ip SSRF improper categorization in isPublic", + "severity": "high", + "vulnerable_versions": "<=2.0.1", + "cwe": [ + "CWE-918" + ], + "cvss": { + "score": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1114831, + "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", + "title": "NPM IP package incorrectly identifies some private IP addresses as public", + "severity": "low", + "vulnerable_versions": "<1.1.9", + "cwe": [ + "CWE-918" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "netmask": [ + { + "id": 1093560, + "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r", + "title": "netmask npm package mishandles octal input data", + "severity": "moderate", + "vulnerable_versions": "<2.0.1", + "cwe": [ + "CWE-20" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + }, + { + "id": 1089900, + "url": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc", + "title": "Improper parsing of octal bytes in netmask", + "severity": "critical", + "vulnerable_versions": "<1.1.0", + "cwe": [ + "CWE-20" + ], + "cvss": { + "score": 9.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + } + ], + "nodemailer": [ + { + "id": 1107232, + "url": "https://github.com/advisories/GHSA-9h6g-pr28-7cqp", + "title": "nodemailer ReDoS when trying to send a specially crafted email", + "severity": "moderate", + "vulnerable_versions": "<=6.9.8", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + }, + { + "id": 1109804, + "url": "https://github.com/advisories/GHSA-mm7p-fcc7-pg87", + "title": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict", + "severity": "moderate", + "vulnerable_versions": "<7.0.7", + "cwe": [ + "CWE-20", + "CWE-436" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1113165, + "url": "https://github.com/advisories/GHSA-rcmh-qjqh-p98v", + "title": "Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls", + "severity": "high", + "vulnerable_versions": "<=7.0.10", + "cwe": [ + "CWE-703" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1089709, + "url": "https://github.com/advisories/GHSA-hwqf-gcqm-7353", + "title": "Header injection in nodemailer", + "severity": "moderate", + "vulnerable_versions": "<6.6.1", + "cwe": [ + "CWE-74" + ], + "cvss": { + "score": 6.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + } + }, + { + "id": 1115470, + "url": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8", + "title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter", + "severity": "low", + "vulnerable_versions": "<8.0.4", + "cwe": [ + "CWE-93" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1089880, + "url": "https://github.com/advisories/GHSA-48ww-j4fc-435p", + "title": "Command injection in nodemailer", + "severity": "critical", + "vulnerable_versions": "<6.4.16", + "cwe": [ + "CWE-88" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1116270, + "url": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g", + "title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", + "severity": "moderate", + "vulnerable_versions": "<=8.0.4", + "cwe": [ + "CWE-93" + ], + "cvss": { + "score": 4.9, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" + } + } + ], + "underscore": [ + { + "id": 1109570, + "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", + "title": "Arbitrary Code Execution in underscore", + "severity": "critical", + "vulnerable_versions": ">=1.3.2 <1.12.1", + "cwe": [ + "CWE-94" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1113950, + "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw", + "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", + "severity": "high", + "vulnerable_versions": "<=1.13.7", + "cwe": [ + "CWE-674", + "CWE-770" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "redis": [ + { + "id": 1089196, + "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3", + "title": "Node-Redis potential exponential regex in monitor mode", + "severity": "high", + "vulnerable_versions": ">=2.6.0 <3.1.1", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "requestretry": [ + { + "id": 1090420, + "url": "https://github.com/advisories/GHSA-hjp8-2cm3-cc45", + "title": "Cookie exposure in requestretry", + "severity": "high", + "vulnerable_versions": "<7.0.0", + "cwe": [ + "CWE-200" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + } + ], + "minimatch": [ + { + "id": 1113459, + "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", + "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", + "severity": "high", + "vulnerable_versions": "<3.1.3", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1113538, + "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", + "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", + "severity": "high", + "vulnerable_versions": "<3.1.3", + "cwe": [ + "CWE-407" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1113546, + "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", + "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", + "severity": "high", + "vulnerable_versions": "<3.1.4", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1096485, + "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", + "title": "minimatch ReDoS vulnerability", + "severity": "high", + "vulnerable_versions": "<3.0.5", + "cwe": [ + "CWE-400", + "CWE-1333" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "brace-expansion": [ + { + "id": 1105443, + "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", + "title": "brace-expansion Regular Expression Denial of Service vulnerability", + "severity": "low", + "vulnerable_versions": ">=1.0.0 <=1.1.11", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 3.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + }, + { + "id": 1115540, + "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", + "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", + "severity": "moderate", + "vulnerable_versions": "<1.1.13", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + } + ], + "socket.io": [ + { + "id": 1100551, + "url": "https://github.com/advisories/GHSA-25hc-qcg6-38wj", + "title": "socket.io has an unhandled 'error' event", + "severity": "moderate", + "vulnerable_versions": "<2.5.0", + "cwe": [ + "CWE-20", + "CWE-754" + ], + "cvss": { + "score": 7.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + }, + { + "id": 1093718, + "url": "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", + "title": "CORS misconfiguration in socket.io", + "severity": "moderate", + "vulnerable_versions": "<2.4.0", + "cwe": [ + "CWE-346", + "CWE-453" + ], + "cvss": { + "score": 4.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + } + ], + "engine.io": [ + { + "id": 1105123, + "url": "https://github.com/advisories/GHSA-j4f2-536g-r55m", + "title": "Resource exhaustion in engine.io", + "severity": "high", + "vulnerable_versions": "<3.6.0", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1089526, + "url": "https://github.com/advisories/GHSA-r7qp-cfhv-p84w", + "title": "Uncaught exception in engine.io", + "severity": "moderate", + "vulnerable_versions": "<3.6.1", + "cwe": [ + "CWE-248" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "cookie": [ + { + "id": 1103907, + "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", + "title": "cookie accepts cookie name, path, and domain with out of bounds characters", + "severity": "low", + "vulnerable_versions": "<0.7.0", + "cwe": [ + "CWE-74" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "ws": [ + { + "id": 1098395, + "url": "https://github.com/advisories/GHSA-3h5v-q93c-6h6q", + "title": "ws affected by a DoS when handling a request with many HTTP headers", + "severity": "high", + "vulnerable_versions": ">=2.1.0 <5.2.4", + "cwe": [ + "CWE-476" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "xmlhttprequest-ssl": [ + { + "id": 1095090, + "url": "https://github.com/advisories/GHSA-72mh-269x-7mh5", + "title": "Improper Certificate Validation in xmlhttprequest-ssl", + "severity": "critical", + "vulnerable_versions": "<1.6.1", + "cwe": [ + "CWE-295" + ], + "cvss": { + "score": 9.4, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" + } + }, + { + "id": 1095088, + "url": "https://github.com/advisories/GHSA-h4j5-c7cj-74xg", + "title": "xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection", + "severity": "critical", + "vulnerable_versions": "<1.6.2", + "cwe": [ + "CWE-94" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + } + ], + "parseuri": [ + { + "id": 1107224, + "url": "https://github.com/advisories/GHSA-6fx8-h7jm-663j", + "title": "parse-uri Regular expression Denial of Service (ReDoS)", + "severity": "moderate", + "vulnerable_versions": "<2.0.0", + "cwe": [ + "CWE-185", + "CWE-1333" + ], + "cvss": { + "score": 0, + "vectorString": null + } + } + ], + "socket.io-parser": [ + { + "id": 1100540, + "url": "https://github.com/advisories/GHSA-cqmj-92xf-r6r9", + "title": "Insufficient validation when decoding a Socket.IO packet", + "severity": "moderate", + "vulnerable_versions": "<3.3.4", + "cwe": [ + "CWE-20", + "CWE-754" + ], + "cvss": { + "score": 7.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + }, + { + "id": 1115156, + "url": "https://github.com/advisories/GHSA-677m-j7p3-52f9", + "title": "socket.io allows an unbounded number of binary attachments", + "severity": "high", + "vulnerable_versions": "<3.3.5", + "cwe": [ + "CWE-754" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1089711, + "url": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", + "title": "Resource exhaustion in socket.io-parser", + "severity": "high", + "vulnerable_versions": "<3.3.2", + "cwe": [ + "CWE-400" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1097134, + "url": "https://github.com/advisories/GHSA-qm95-pgcg-qqfq", + "title": "Insufficient validation when decoding a Socket.IO packet", + "severity": "critical", + "vulnerable_versions": "<3.3.3", + "cwe": [ + "CWE-20", + "CWE-89", + "CWE-1287" + ], + "cvss": { + "score": 9.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + } + ], + "tmp": [ + { + "id": 1109537, + "url": "https://github.com/advisories/GHSA-52f5-9888-hmc6", + "title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter", + "severity": "low", + "vulnerable_versions": "<=0.2.3", + "cwe": [ + "CWE-59" + ], + "cvss": { + "score": 2.5, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + } + ], + "useragent": [ + { + "id": 1107230, + "url": "https://github.com/advisories/GHSA-mgfv-m47x-4wqp", + "title": "useragent Regular Expression Denial of Service vulnerability", + "severity": "moderate", + "vulnerable_versions": "<=2.3.0", + "cwe": [ + "CWE-1333" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + } + ], + "sync-exec": [ + { + "id": 1093475, + "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q", + "title": "Tmp files readable by other users in sync-exec", + "severity": "moderate", + "vulnerable_versions": "<=0.6.2", + "cwe": [ + "CWE-377" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + } + ] } \ No newline at end of file diff --git a/deps/compliance/commands/test/audit/utils/responses/dev-vulnerabilities-only-response.json b/deps/compliance/commands/test/audit/utils/responses/dev-vulnerabilities-only-response.json index deccf7b058..bbd29f041e 100644 --- a/deps/compliance/commands/test/audit/utils/responses/dev-vulnerabilities-only-response.json +++ b/deps/compliance/commands/test/audit/utils/responses/dev-vulnerabilities-only-response.json @@ -1,278 +1,211 @@ { - "actions": [ + "axios": [ { - "action": "review", - "module": "axios", - "resolves": [ - { - "id": 1005018, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1005506, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1006349, - "path": ".>axios", - "dev": false, - "optional": false, - "bundled": false - } - ] + "id": 1102326, + "url": "https://github.com/advisories/GHSA-cph5-m8f7-6c5x", + "title": "axios Inefficient Regular Expression Complexity vulnerability", + "severity": "high", + "vulnerable_versions": "<0.21.2", + "cwe": [ + "CWE-400", + "CWE-1333" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } }, { - "action": "review", - "module": "sync-exec", - "resolves": [ - { - "id": 1005902, - "path": ".>sync-exec", - "dev": false, - "bundled": false, - "optional": false - } - ] + "id": 1111034, + "url": "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", + "title": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", + "severity": "high", + "vulnerable_versions": "<0.30.0", + "cwe": [ + "CWE-918" + ], + "cvss": { + "score": 0, + "vectorString": null + } }, { - "action": "review", - "module": "follow-redirects", - "resolves": [ - { - "id": 1006865, - "path": ".>axios>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - }, - { - "id": 1007026, - "path": ".>axios>follow-redirects", - "dev": false, - "optional": false, - "bundled": false - } - ] + "id": 1113274, + "url": "https://github.com/advisories/GHSA-43fc-jf86-j433", + "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", + "severity": "high", + "vulnerable_versions": "<=0.30.2", + "cwe": [ + "CWE-754" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + }, + { + "id": 1116365, + "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5", + "title": "Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF", + "severity": "critical", + "vulnerable_versions": "<1.15.0", + "cwe": [ + "CWE-441", + "CWE-918" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1116605, + "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", + "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", + "severity": "critical", + "vulnerable_versions": "<0.31.0", + "cwe": [ + "CWE-113", + "CWE-444", + "CWE-918" + ], + "cvss": { + "score": 10, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + }, + { + "id": 1090049, + "url": "https://github.com/advisories/GHSA-4w2v-q235-vp99", + "title": "Axios vulnerable to Server-Side Request Forgery", + "severity": "moderate", + "vulnerable_versions": "<0.21.1", + "cwe": [ + "CWE-918" + ], + "cvss": { + "score": 5.9, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + }, + { + "id": 1097679, + "url": "https://github.com/advisories/GHSA-wf5p-g6vw-rhxx", + "title": "Axios Cross-Site Request Forgery Vulnerability", + "severity": "moderate", + "vulnerable_versions": ">=0.8.1 <0.28.0", + "cwe": [ + "CWE-352" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + }, + { + "id": 1091722, + "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m", + "title": "Denial of Service in axios", + "severity": "high", + "vulnerable_versions": "<=0.18.0", + "cwe": [ + "CWE-20", + "CWE-755" + ], + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } } ], - "advisories": { - "1005018": { - "findings": [ - { - "version": "0.15.3", - "paths": [ - ".>axios" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.21.1", - "module_name": "axios", - "severity": "high", - "github_advisory_id": "GHSA-cph5-m8f7-6c5x", - "cves": [ - "CVE-2021-3749" - ], - "access": "public", - "patched_versions": ">=0.21.2", - "updated": "2021-09-08T16:46:47.000Z", - "recommendation": "Upgrade to version 0.21.2 or later", - "cwe": "CWE-697", - "found_by": null, - "deleted": null, - "id": 1005018, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3749\n- https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929\n- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31\n- https://www.npmjs.com/package/axios\n- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-cph5-m8f7-6c5x", - "created": "2021-11-18T16:00:48.489Z", - "reported_by": null, - "title": "Incorrect Comparison in axios", - "npm_advisory_id": null, - "overview": "axios is vulnerable to Inefficient Regular Expression Complexity", - "url": "https://github.com/advisories/GHSA-cph5-m8f7-6c5x" - }, - "1005506": { - "findings": [ - { - "version": "0.15.3", - "paths": [ - ".>axios" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<0.21.1", - "module_name": "axios", - "severity": "high", - "github_advisory_id": "GHSA-4w2v-q235-vp99", - "cves": [ - "CVE-2020-28168" - ], - "access": "public", - "patched_versions": ">=0.21.1", - "updated": "2021-01-04T20:58:17.000Z", - "recommendation": "Upgrade to version 0.21.1 or later", - "cwe": "CWE-918", - "found_by": null, - "deleted": null, - "id": 1005506, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28168\n- https://github.com/axios/axios/issues/3369\n- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55\n- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255\n- https://www.npmjs.com/package/axios\n- https://www.npmjs.com/advisories/1594\n- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-4w2v-q235-vp99", - "created": "2021-11-18T16:00:48.546Z", - "reported_by": null, - "title": "Server-Side Request Forgery in Axios", - "npm_advisory_id": null, - "overview": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.", - "url": "https://github.com/advisories/GHSA-4w2v-q235-vp99" - }, - "1005902": { - "findings": [ - { - "version": "0.6.2", - "paths": [ - ".>sync-exec" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.6.2", - "module_name": "sync-exec", - "severity": "moderate", - "github_advisory_id": "GHSA-38h8-x697-gh8q", - "cves": [ - "CVE-2017-16024" - ], - "access": "public", - "patched_versions": "<0.0.0", - "updated": "2020-08-31T18:18:48.000Z", - "recommendation": "None", - "cwe": "CWE-377", - "found_by": null, - "deleted": null, - "id": 1005902, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16024\n- https://github.com/gvarsanyi/sync-exec/issues/17\n- https://cwe.mitre.org/data/definitions/377.html\n- https://github.com/advisories/GHSA-38h8-x697-gh8q\n- https://www.npmjs.com/advisories/310\n- https://nodesecurity.io/advisories/310\n- https://www.owasp.org/index.php/Insecure_Temporary_File", - "created": "2021-11-18T16:00:48.581Z", - "reported_by": null, - "title": "Tmp files readable by other users in sync-exec", - "npm_advisory_id": null, - "overview": "Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user.\n\n\n## Recommendation\n\nThere is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. \n\nThe best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.", - "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q" - }, - "1006349": { - "findings": [ - { - "version": "0.15.3", - "paths": [ - ".>axios" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<=0.18.0", - "module_name": "axios", - "severity": "high", - "github_advisory_id": "GHSA-42xw-2xvc-qx8m", - "cves": [ - "CVE-2019-10742" - ], - "access": "public", - "patched_versions": ">=0.18.1", - "updated": "2019-06-05T16:22:11.000Z", - "recommendation": "Upgrade to version 0.18.1 or later", - "cwe": "CWE-20", - "found_by": null, - "deleted": null, - "id": 1006349, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-10742\n- https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://github.com/axios/axios/issues/1098\n- https://github.com/axios/axios/pull/1485\n- https://snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://www.npmjs.com/advisories/880\n- https://github.com/advisories/GHSA-42xw-2xvc-qx8m", - "created": "2021-11-18T16:00:48.617Z", - "reported_by": null, - "title": "Denial of Service in axios", - "npm_advisory_id": null, - "overview": "Versions of `axios` prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the `maxContentLength` property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to 0.18.1 or later.", - "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m" - }, - "1006865": { - "findings": [ - { - "version": "1.0.0", - "paths": [ - ".>axios>follow-redirects" - ] - } - ], - "metadata": null, - "vulnerable_versions": "<1.14.7", - "module_name": "follow-redirects", - "severity": "high", - "github_advisory_id": "GHSA-74fj-2j2h-c42q", - "cves": [ - "CVE-2022-0155" - ], - "access": "public", - "patched_versions": ">=1.14.7", - "updated": "2022-01-11T18:41:09.000Z", - "recommendation": "Upgrade to version 1.14.7 or later", - "cwe": "CWE-359", - "found_by": null, - "deleted": null, - "id": 1006865, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q", - "created": "2022-01-12T23:00:43.967Z", - "reported_by": null, + "follow-redirects": [ + { + "id": 1102323, + "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q", "title": "Exposure of sensitive information in follow-redirects", - "npm_advisory_id": null, - "overview": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor", - "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q" - }, - "1007026": { - "findings": [ - { - "version": "1.0.0", - "paths": [ - ".>axios>follow-redirects" - ] - } + "severity": "high", + "vulnerable_versions": "<1.14.7", + "cwe": [ + "CWE-359" ], - "metadata": null, - "vulnerable_versions": "<1.14.8", - "module_name": "follow-redirects", + "cvss": { + "score": 8, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + }, + { + "id": 1109569, + "url": "https://github.com/advisories/GHSA-jchw-25xp-jwwc", + "title": "Follow Redirects improperly handles URLs in the url.parse() function", "severity": "moderate", - "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", - "cves": [ - "CVE-2022-0536" + "vulnerable_versions": "<1.15.4", + "cwe": [ + "CWE-20", + "CWE-601" ], - "access": "public", - "patched_versions": ">=1.14.8", - "updated": "2022-02-11T21:18:03.000Z", - "recommendation": "Upgrade to version 1.14.8 or later", - "cwe": "CWE-200", - "found_by": null, - "deleted": null, - "id": 1007026, - "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", - "created": "2022-02-14T23:00:43.878Z", - "reported_by": null, - "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", - "npm_advisory_id": null, - "overview": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.", - "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c" - } - }, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 2, - "high": 4, - "critical": 0 + "cvss": { + "score": 6.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } }, - "dependencies": 6, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 6 - } + { + "id": 1096856, + "url": "https://github.com/advisories/GHSA-cxjh-pqwp-8mfp", + "title": "follow-redirects' Proxy-Authorization header kept across hosts", + "severity": "moderate", + "vulnerable_versions": "<=1.15.5", + "cwe": [ + "CWE-200" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + }, + { + "id": 1116560, + "url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653", + "title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets", + "severity": "moderate", + "vulnerable_versions": "<=1.15.11", + "cwe": [ + "CWE-200" + ], + "cvss": { + "score": 0, + "vectorString": null + } + }, + { + "id": 1092623, + "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", + "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", + "severity": "moderate", + "vulnerable_versions": "<1.14.8", + "cwe": [ + "CWE-200", + "CWE-212" + ], + "cvss": { + "score": 5.9, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + } + ], + "sync-exec": [ + { + "id": 1093475, + "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q", + "title": "Tmp files readable by other users in sync-exec", + "severity": "moderate", + "vulnerable_versions": "<=0.6.2", + "cwe": [ + "CWE-377" + ], + "cvss": { + "score": 6.5, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + } + ] } \ No newline at end of file diff --git a/deps/compliance/commands/test/audit/utils/responses/index.ts b/deps/compliance/commands/test/audit/utils/responses/index.ts index 59f3b355a7..6e977b5d27 100644 --- a/deps/compliance/commands/test/audit/utils/responses/index.ts +++ b/deps/compliance/commands/test/audit/utils/responses/index.ts @@ -8,3 +8,5 @@ export const DEV_VULN_ONLY_RESP = loadJsonFileSync(path.join(import.meta.di export const ALL_VULN_RESP = loadJsonFileSync(path.join(import.meta.dirname, 'all-vulnerabilities-response.json')) // eslint-disable-next-line export const NO_VULN_RESP = loadJsonFileSync(path.join(import.meta.dirname, 'no-vulnerabilities-response.json')) +// eslint-disable-next-line +export const INFO_VULN_RESP = loadJsonFileSync(path.join(import.meta.dirname, 'info-vulnerability-response.json')) diff --git a/deps/compliance/commands/test/audit/utils/responses/info-vulnerability-response.json b/deps/compliance/commands/test/audit/utils/responses/info-vulnerability-response.json new file mode 100644 index 0000000000..3f70ba15ab --- /dev/null +++ b/deps/compliance/commands/test/audit/utils/responses/info-vulnerability-response.json @@ -0,0 +1,11 @@ +{ + "axios": [ + { + "id": 100, + "url": "https://github.com/advisories/GHSA-info-info-info", + "title": "just some info", + "severity": "info", + "vulnerable_versions": "*" + } + ] +} diff --git a/deps/compliance/commands/test/audit/utils/responses/no-vulnerabilities-response.json b/deps/compliance/commands/test/audit/utils/responses/no-vulnerabilities-response.json index d1bb849c52..9e26dfeeb6 100644 --- a/deps/compliance/commands/test/audit/utils/responses/no-vulnerabilities-response.json +++ b/deps/compliance/commands/test/audit/utils/responses/no-vulnerabilities-response.json @@ -1,18 +1 @@ -{ - "actions": [], - "advisories": {}, - "muted": [], - "metadata": { - "vulnerabilities": { - "info": 0, - "low": 0, - "moderate": 0, - "high": 0, - "critical": 0 - }, - "dependencies": 4, - "devDependencies": 0, - "optionalDependencies": 0, - "totalDependencies": 4 - } -} \ No newline at end of file +{} \ No newline at end of file diff --git a/deps/compliance/commands/test/audit/utils/responses/update.ts b/deps/compliance/commands/test/audit/utils/responses/update.ts index aa5d7b552f..f2212ab172 100644 --- a/deps/compliance/commands/test/audit/utils/responses/update.ts +++ b/deps/compliance/commands/test/audit/utils/responses/update.ts @@ -1,30 +1,37 @@ import fs from 'node:fs' import path from 'node:path' -import { audit } from '@pnpm/deps.compliance.audit' +import { lockfileToAuditRequest } from '@pnpm/deps.compliance.audit' import { readWantedLockfile } from '@pnpm/lockfile.fs' import { fixtures } from '@pnpm/test-fixtures' const f = fixtures(import.meta.dirname) +const REGISTRY = 'https://registry.npmjs.org' + async function writeResponse (lockfileDir: string, filename: string, opts: { production?: boolean dev?: boolean optional?: boolean -}) { +}): Promise { const lockfile = await readWantedLockfile(lockfileDir, { ignoreIncompatible: true }) + if (!lockfile) throw new Error(`no lockfile at ${lockfileDir}`) const include = { dependencies: opts.production !== false, devDependencies: opts.dev !== false, optionalDependencies: opts.optional !== false, } - // @ts-expect-error - const auditReport = await audit(lockfile!, { - dispatcherOptions: {}, - include, - registry: 'https://registry.npmjs.org/', + const auditRequest = lockfileToAuditRequest(lockfile, { include }) + const res = await fetch(`${REGISTRY}/-/npm/v1/security/advisories/bulk`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify(auditRequest.request), }) - fs.writeFileSync(path.join(import.meta.dirname, filename), JSON.stringify(auditReport, null, 2)) + if (!res.ok) { + throw new Error(`bulk audit endpoint responded with ${res.status}: ${await res.text()}`) + } + const bulkResponse = await res.json() + fs.writeFileSync(path.join(import.meta.dirname, filename), JSON.stringify(bulkResponse, null, 2)) } ; (async () => { @@ -34,4 +41,7 @@ async function writeResponse (lockfileDir: string, filename: string, opts: { }) await writeResponse(f.find('has-vulnerabilities'), 'all-vulnerabilities-response.json', {}) await writeResponse(f.find('has-outdated-deps'), 'no-vulnerabilities-response.json', {}) -})() +})().catch((err: unknown) => { + console.error(err) + process.exitCode = 1 +}) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index b560a774d1..2d9fc9885e 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -2710,6 +2710,9 @@ importers: deps/compliance/audit: dependencies: + '@pnpm/deps.path': + specifier: workspace:* + version: link:../../path '@pnpm/error': specifier: workspace:* version: link:../../../core/error @@ -2737,12 +2740,9 @@ importers: '@pnpm/types': specifier: workspace:* version: link:../../../core/types - '@pnpm/workspace.project-manifest-reader': - specifier: workspace:* - version: link:../../../workspace/project-manifest-reader - ramda: + semver: specifier: 'catalog:' - version: '@pnpm/ramda@0.28.1' + version: 7.7.4 devDependencies: '@pnpm/constants': specifier: workspace:* @@ -2759,9 +2759,9 @@ importers: '@pnpm/testing.mock-agent': specifier: workspace:* version: link:../../../testing/mock-agent - '@types/ramda': + '@types/semver': specifier: 'catalog:' - version: 0.31.1 + version: 7.7.1 deps/compliance/commands: dependencies: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 33e367a100..6e62d28ad0 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -60,8 +60,6 @@ allowBuilds: unrs-resolver: true auditConfig: - ignoreCves: - - CVE-2025-56200 ignoreGhsas: - GHSA-2g4f-4pwh-qvx6 - GHSA-76c9-3jph-rj3q