Git Product home page Git Product logo

node-express-mongo-db's Introduction

Node, Express and MongoDB

js-standard-style License: MIT

Overview

This is an easy, basic and raw example of HOW to implement an API with Node, Express and MongoDB/Atlas (with Mongoose ODM).

Requirements

  • Node 12+
  • NPM
  • MongoDB
  • Mongoose ODM
  • Optional: MongoDB account

Install dependencies

npm install

Running the server

Development

npm run dev

Production

npm run build

npm start

API endpoints

GET /api/users

  • Returns an object with the key data containing an array of objects with 40 records.
  • Supports query string:
    • ?limit=integer
    • ?offset=integer

Request:

curl http://127.0.0.1:3333/api/users

Sample response:

{
  "data": [
    {
      "_id": "60da6b74fc13ae7069000d4b",
      "firstname": "Dedra",
      "lastname": "Demangel",
      "age": 96,
      "gender": "Agender",
      "username": "ddemangel3",
      "company": "Skidoo",
      "email": "[email protected]",
      "phone": "759-142-2883",
      "address": "4 Fisk Drive"
    },
    {
      "_id": "60da6b74fc13ae7069000d48",
      "firstname": "Martynne",
      "lastname": "Pimmocke",
      "age": 79,
      "gender": "Female",
      "username": "mpimmocke0",
      "company": "Edgeify",
      "email": "[email protected]",
      "phone": "354-508-5487",
      "address": "20633 Stone Corner Trail"
    }
  ]
}

Query string

GET /api/users?limit=1
  • Returns n record(s) where n is the value (type: Number) of the limit key.
Request:
curl http://127.0.0.1:3333/api/users?limit=1
Response:
{
  "data": [
    {
      "_id": "60da6b74fc13ae7069000d4b",
      "firstname": "Dedra",
      "lastname": "Demangel",
      "age": 96,
      "gender": "Agender",
      "username": "ddemangel3",
      "company": "Skidoo",
      "email": "[email protected]",
      "phone": "759-142-2883",
      "address": "4 Fisk Drive"
    }
  ]
}

Wrong type for n value will return all the users. Example: users?limit=%27Hello%27

GET /api/users?offset=10
  • Returns from n (PRIMARY KEY) where n is the value (type: Number) of the offset key.
Request:
curl http://127.0.0.1:3333/api/users?offset=10
Response:
{
  "data": [
    {
      "_id": "60da6b74fc13ae7069000d55",
      "firstname": "Cindi",
      "lastname": "Harnell",
      "age": 57,
      "gender": "Bigender",
      "username": "charnelld",
      "company": "Skyble",
      "email": "[email protected]",
      "phone": "176-961-8815",
      "address": "09953 Susan Alley"
    },
    {
      "_id": "60da6b74fc13ae7069000d57",
      "firstname": "Olva",
      "lastname": "Hoodless",
      "age": 61,
      "gender": "Female",
      "username": "ohoodlessf",
      "company": "Jaloo",
      "email": "[email protected]",
      "phone": "886-598-0586",
      "address": "8 Chinook Pass"
    }
  ]
}

GET /latency

  • Returns an object with a delay of 1 second (default)
  • Supports query string:
    • ?limit=integer
    • ?offset=integer

Request:

curl http://127.0.0.1:3333/latency

Response:

{
  "data": "Thanks for waiting 1 second"
}

Query string

GET /latency?delay=2000
  • Increases latency (delay) to n milliseconds where, min:1000 and max:4000. Default value: 1000ms.

Wrong type for n value will produce a default delay of 1000ms.

Request:
curl http://127.0.0.1:3333/latency?delay=2000
Response:
{
  "data": "Thanks for waiting 2 seconds"
}

GET everything else

  • Any other endpoint will retrieve an object

Request:

curl http://127.0.0.1:3333/

Response:

{
  "message": "Node.js, Express, and MongoDB API!"
}

Notes:

If you need help at the tie of Migrating from mLab to MongoDB Atlas

node-express-mongo-db's People

Contributors

alpersonalwebsite avatar greenkeeper[bot] avatar

Watchers

avatar

Forkers

dilane3

node-express-mongo-db's Issues

CVE-2021-23438 (Medium) detected in mpath-0.8.3.tgz - autoclosed

CVE-2021-23438 - Medium Severity Vulnerability

Vulnerable Library - mpath-0.8.3.tgz

{G,S}et object values using MongoDB-like path notation

Library home page: https://registry.npmjs.org/mpath/-/mpath-0.8.3.tgz

Path to dependency file: node-express-mongo-db/package.json

Path to vulnerable library: node-express-mongo-db/node_modules/mpath/package.json

Dependency Hierarchy:

  • mongoose-5.13.8.tgz (Root Library)
    • mpath-0.8.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Publish Date: 2021-09-01

URL: CVE-2021-23438

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23438

Release Date: 2021-09-01

Fix Resolution: mpath - 0.8.4

Step up your Open Source Security Game with WhiteSource here

CVE-2022-24304 (High) detected in mongoose-5.13.14.tgz - autoclosed

CVE-2022-24304 - High Severity Vulnerability

Vulnerable Library - mongoose-5.13.14.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.14.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.14.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Schema in lib/schema.js in Mongoose before 6.4.6 is vulnerable to prototype pollution.

Publish Date: 2022-08-25

URL: CVE-2022-24304

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-08-26

Fix Resolution: 6.4.6

Step up your Open Source Security Game with Mend here

CVE-2020-8116 (Medium) detected in dot-prop-4.2.0.tgz

CVE-2020-8116 - Medium Severity Vulnerability

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/node-express-mongo-db/package.json

Path to vulnerable library: /tmp/ws-scm/node-express-mongo-db/node_modules/dot-prop/package.json

Dependency Hierarchy:

  • nodemon-2.0.2.tgz (Root Library)
    • update-notifier-2.5.0.tgz
      • configstore-3.1.2.tgz
        • dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 59d32132e292a6bbd9e7ac22eaf45e29f8729765

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3777 (High) detected in tmpl-1.0.4.tgz - autoclosed

CVE-2021-3777 - High Severity Vulnerability

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmpl/package.json

Dependency Hierarchy:

  • babel-jest-26.6.3.tgz (Root Library)
    • transform-26.6.2.tgz
      • jest-haste-map-26.6.2.tgz
        • walker-1.0.7.tgz
          • makeerror-1.0.11.tgz
            • tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 60afc75e9041891586eda98105e15ee24d5f37d8

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (babel-jest): 27.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: node-express-mongo-db/package.json

Path to vulnerable library: node-express-mongo-db/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • read-pkg-up-2.0.0.tgz
      • read-pkg-2.0.0.tgz
        • normalize-package-data-2.5.0.tgz
          • hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 395519f333141056d325368644db515d29b9e0cb

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/npm/hosted-git-info/releases/tag/v3.0.8

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 3.0.8

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: node-express-mongo-db/package.json

Path to vulnerable library: node-express-mongo-db/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-6.8.0.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: e32bb10be69e73fc736bda954ec45c3707df7d1d

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with WhiteSource here

An in-range update of eslint-plugin-import is breaking the build 🚨

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency eslint-plugin-import was updated from 2.20.1 to 2.20.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

eslint-plugin-import is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details
  • WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity CVSS Score CVE GitHub Issue
High 7.5 CVE-2020-8116 #14

Scan token: 7d9d4ce7b49f49289ef230eeb6ee2c16 - ✅ **Travis CI - Branch:** The build **passed**.
Commits

The new version differs by 14 commits.

  • 71ca88f Bump to v2.20.2
  • a618f88 [Tests] pin esquery, due to breaking change in a minor version
  • 9c5899e utils: v2.6.0
  • efb5f07 [Tests] use babel instead of NODE_PATH
  • 1a3a128 [Fix] first: Add a way to disable absolute-first explicitly
  • efd6be1 [Fix] no-unused-modules: handle export { default } from syntax
  • adbced7 utils: [New] Print more helpful info if parsing fails
  • b6242b0 [fix] no-duplicates: fix fixer on cases with default import
  • 41aaa18 resolvers/node: [New] add .node extension
  • 12971f5 [Fix] order: recognize ".." as a "parent" path
  • 47f912e [Fix] order: fix isExternalModule detection on windows
  • 8905007 [Tests] appveyor: on node 8-12, use npm 6.10.3
  • 2beec94 [meta] use in-publish in prepublish
  • 1fbef73 [meta] fix changelog link

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of eslint is breaking the build 🚨

The devDependency eslint was updated from 6.2.1 to 6.2.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

eslint is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details
  • WhiteSource Security Check: Oops! An error occurred while running the Security Check.

Please contact the WhiteSource Support team at [email protected] and mention the following scan token: bb7fa069246348f4b9416d7a33a4d49f - ✅ **Travis CI - Branch:** The build **passed**.
Release Notes for v6.2.2
  • 0e0b784 Upgrade: espree@^6.1.1 (#12158) (Kevin Partington)
  • 04e859f Sponsors: Sync README with website (ESLint Jenkins)
  • 34783d1 Sponsors: Sync README with website (ESLint Jenkins)
  • b809e72 Docs: Update README team and sponsors (ESLint Jenkins)
Commits

The new version differs by 6 commits.

  • ca658fb 6.2.2
  • 3ed9f76 Build: changelog update for 6.2.2
  • 0e0b784 Upgrade: espree@^6.1.1 (#12158)
  • 04e859f Sponsors: Sync README with website
  • 34783d1 Sponsors: Sync README with website
  • b809e72 Docs: Update README team and sponsors

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of eslint-plugin-node is breaking the build 🚨

The devDependency eslint-plugin-node was updated from 9.1.0 to 9.2.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

eslint-plugin-node is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details
  • WhiteSource Security Check: Oops! An error occurred while running the Security Check.

Please contact the WhiteSource Support team at [email protected] and mention the following scan token: d43b5910e5e142edaf884db65c8972a4 - ✅ **Travis CI - Branch:** The build **passed**.
Commits

The new version differs by 9 commits.

  • 9fbdaec 🔖 9.2.0
  • c1d5dbf ✨ add no-callback-literal rule (#179)
  • 72de3a3 🐛 vulnerability fix: update eslint-utils to ^1.4.2 & eslint-plugin-es to ^1.4.1 (fixes #180) (#183)
  • cfc6352 🎨 fix typos in function names (#177)
  • b757c3e ⚒ improve azure-pipelines.yml (#173)
  • a85d541 ⚒ trivial fix
  • 88829af ⚒ Update azure-pipelines.yml for codecov (#170)
  • 5b3f815 🐛 fix for ESLint 6 (#169)
  • fe73872 ⚒ Switch to Azure Pipelines (#168)

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /node-express-mongo-db/package.json

Path to vulnerable library: /tmp/git/node-express-mongo-db/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-6.0.1.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 65f4456a16d9e469dba488366d733d11d7ec198a

Vulnerability Details

A Prototype Pollution vulnerability was found in lodash through version 4.17.11.

Publish Date: 2019-07-08

URL: CVE-2019-10744

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Step up your Open Source Security Game with WhiteSource here

CVE-2022-33987 (Medium) detected in got-9.6.0.tgz - autoclosed

CVE-2022-33987 - Medium Severity Vulnerability

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

  • nodemon-2.0.15.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • got-9.6.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-7598 (High) detected in minimist-0.0.8.tgz

CVE-2020-7598 - High Severity Vulnerability

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /tmp/ws-scm/node-express-mongo-db/package.json

Path to vulnerable library: /tmp/ws-scm/node-express-mongo-db/node_modules/minimist/package.json

Dependency Hierarchy:

  • eslint-6.8.0.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 4b8dd50f850e5d2609d5a75954d88ba2f20bc34e

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.2

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: node-express-mongo-db/package.json

Path to vulnerable library: node-express-mongo-db/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-6.8.0.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: e32bb10be69e73fc736bda954ec45c3707df7d1d

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Step up your Open Source Security Game with WhiteSource here

An in-range update of dotenv is breaking the build 🚨

The dependency dotenv was updated from 8.1.0 to 8.2.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

dotenv is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details
  • Travis CI - Branch: The build passed.
  • WhiteSource Security Check: Oops! An error occurred while running the Security Check.

Please contact the WhiteSource Support team at [email protected] and mention the following scan token: 99c4dc9e779d4566961fd5dcabe2348e
Commits

The new version differs by 3 commits.

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • cli-7.18.6.tgz (Root Library)
    • chokidar-3.5.2.tgz
      • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-2564 (High) detected in mongoose-5.13.14.tgz

CVE-2022-2564 - High Severity Vulnerability

Vulnerable Library - mongoose-5.13.14.tgz

Mongoose MongoDB ODM

Library home page: https://registry.npmjs.org/mongoose/-/mongoose-5.13.14.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mongoose/package.json

Dependency Hierarchy:

  • mongoose-5.13.14.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Publish Date: 2022-07-28

URL: CVE-2022-2564

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2564

Release Date: 2022-07-28

Fix Resolution: 5.13.15

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in multiple libraries - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/table/node_modules/ansi-regex/package.json,/node_modules/eslint/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-6.8.0.tgz (Root Library)
    • strip-ansi-5.2.0.tgz
      • ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint-friendly-formatter/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-friendly-formatter-4.0.1.tgz (Root Library)
    • strip-ansi-4.0.0.tgz
      • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@jest/core/node_modules/ansi-regex/package.json,/node_modules/cliui/node_modules/ansi-regex/package.json,/node_modules/pretty-format/node_modules/ansi-regex/package.json,/node_modules/string-width/node_modules/ansi-regex/package.json,/node_modules/string-length/node_modules/ansi-regex/package.json,/node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/inquirer/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-6.8.0.tgz (Root Library)
    • inquirer-7.3.3.tgz
      • strip-ansi-6.0.0.tgz
        • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 60afc75e9041891586eda98105e15ee24d5f37d8

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (eslint): 7.16.0

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (eslint): 7.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-44906 (High) detected in minimist-1.2.5.tgz - autoclosed

CVE-2021-44906 - High Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • eslint-friendly-formatter-4.0.1.tgz (Root Library)
    • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: c3a8894a15bbc202f62ea88ff1de25ecef5b2210

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/issues/164

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Step up your Open Source Security Game with WhiteSource here

WS-2020-0070 (High) detected in lodash-4.17.15.tgz

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/node-express-mongo-db/package.json

Path to vulnerable library: /tmp/ws-scm/node-express-mongo-db/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-6.8.0.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 1774a027c719f93ef73209dde141fe893040cd25

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

An in-range update of nodemon is breaking the build 🚨

🚨 Reminder! Less than one month left to migrate your repositories over to Snyk before Greenkeeper says goodbye on June 3rd! 💜 🚚💨 💚

Find out how to migrate to Snyk at greenkeeper.io

The devDependency nodemon was updated from 2.0.3 to 2.0.4.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

nodemon is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details
  • WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity CVSS Score CVE GitHub Issue
High 8.1 WS-2020-0070 #18

Scan token: 69668cdeef2242b986ce8eec42a787f5 - ✅ **Travis CI - Branch:** The build **passed**.
Release Notes for v2.0.4

2.0.4 (2020-05-14)

Bug Fixes

Commits

The new version differs by 3 commits.

  • a74f5dc fix: add funding in package
  • 43def51 docs: Fix run-on sentence (#1704)
  • f18286e docs: update issue templates

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of eslint-plugin-react is breaking the build 🚨

The devDependency eslint-plugin-react was updated from 7.14.0 to 7.14.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

eslint-plugin-react is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details
  • Travis CI - Branch: The build errored.
  • WhiteSource Security Check: Way to go! The Security Check did not find any vulnerabilities.
    Scan token: bf58dedbcbed4747b4e75da69be9a975
Release Notes for v7.14.1

Fixed

  • Fix prop-types crash on multiple destructuring (#2319 @golopot)
Commits

The new version differs by 3 commits.

  • 62255af Update CHANGELOG and bump version
  • 655eb01 Merge pull request #2320 from golopot/issue-2319
  • 9639d82 [Fix] prop-types: fix crash on multiple destructuring

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of mongoose is breaking the build 🚨

The dependency mongoose was updated from 5.6.3 to 5.6.4.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

mongoose is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details
  • Travis CI - Branch: The build passed.
  • WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity CVSS Score CVE GitHub Issue
High 7.4 CVE-2019-10744 #3

Scan token: 29052c1bec9e4b799e15aff0260d4193
Commits

The new version differs by 17 commits.

  • a2aba34 chore: release 5.6.4
  • 880836e docs(connection): add section on connection handling
  • d627073 fix(schema): support pre(Array, Function) and post(Array, Function)
  • 82442da test(schema): repro #7803
  • 9651ba7 refactor(model): use 'MongooseError' instead of 'Error' because 'Error' conflicts with global.Error
  • 701c0ec fix(document): load docs with a once property successfully
  • 36cb96e test(document): repro #7958
  • 67ddf3b docs(tutorials): add virtual tutorial
  • e96b6bd refactor(populate): move getModelsMapForPopulate() into separate function
  • 2b7622b fix(update): fix error when update property gets casted to null
  • 5393bb1 fix(queryhelpers): ensure parent select overwrites child path select if parent is nested
  • cee8bc8 test(queryhelpers): repro #7945
  • 736fcdb refactor: use ./error/index rather than ./error to avoid potential issues with imports
  • cbc81c8 fix(schema): make clone() correctly copy array embedded discriminators
  • 9db74dc test(schema): repro #7954

There are 17 commits in total.

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.