jeremyje / webcron Goto Github PK

Vulnerabilities

DepShield reports that this application's usage of bl:4.1.0 results in the following vulnerability(s):

• (CVSS 4.3) CWE-200: Information Exposure

Occurrences

bl:4.1.0 is a transitive dependency introduced by the following direct dependency(s):

• puppeteer:10.1.0
        └─ tar-fs:2.0.0
              └─ tar-stream:2.2.0
                    └─ bl:4.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-haste-map:25.5.1
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ braces:2.3.2
                                      └─ fill-range:4.0.0
                                            └─ is-number:3.0.0
                                                  └─ kind-of:3.2.2
                                      └─ snapdragon-node:2.1.1
                                            └─ snapdragon-util:3.0.1
                                                  └─ kind-of:3.2.2
                                └─ snapdragon:0.8.2
                                      └─ base:0.11.2
                                            └─ cache-base:1.0.1
                                                  └─ has-value:1.0.0
                                                        └─ has-values:1.0.0
                                                              └─ is-number:3.0.0
                                                                    └─ kind-of:3.2.2
                                                  └─ to-object-path:0.3.0
                                                        └─ kind-of:3.2.2
                                            └─ class-utils:0.3.6
                                                  └─ static-extend:0.1.2
                                                        └─ object-copy:0.1.0
                                                              └─ kind-of:3.2.2
                                      └─ define-property:0.2.5
                                            └─ is-descriptor:0.1.6
                                                  └─ is-accessor-descriptor:0.1.6
                                                        └─ kind-of:3.2.2
                                                  └─ is-data-descriptor:0.1.4
                                                        └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of acorn:6.4.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:6.4.1 is a transitive dependency introduced by the following direct dependency(s):

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-config:25.5.4
                    └─ jest-environment-jsdom:25.5.0
                          └─ jsdom:15.2.1
                                └─ acorn-globals:4.3.4
                                      └─ acorn:6.4.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-config:25.5.4
                    └─ jest-environment-jsdom:25.5.0
                          └─ jsdom:15.2.1
                                └─ whatwg-url:7.1.0
                                      └─ lodash.sortby:4.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of y18n:4.0.0 results in the following vulnerability(s):

• (CVSS 8.2) CWE-20: Improper Input Validation

Occurrences

y18n:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• concurrently:5.3.0
        └─ yargs:13.3.2
              └─ y18n:4.0.0

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-runtime:25.5.4
                    └─ yargs:15.3.1
                          └─ y18n:4.0.0
        └─ jest-cli:25.5.4
              └─ yargs:15.3.1
                    └─ y18n:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of bl:4.0.2 results in the following vulnerability(s):

• (CVSS 4.3) CWE-200: Information Exposure

Occurrences

bl:4.0.2 is a transitive dependency introduced by the following direct dependency(s):

• puppeteer:5.2.1
        └─ tar-fs:2.1.0
              └─ tar-stream:2.1.3
                    └─ bl:4.0.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of hosted-git-info:2.8.8 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
• (CVSS 5.3) [CVE-2021-23362] The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression De...

Occurrences

hosted-git-info:2.8.8 is a transitive dependency introduced by the following direct dependency(s):

• concurrently:5.3.0
        └─ read-pkg:4.0.1
              └─ normalize-package-data:2.5.0
                    └─ hosted-git-info:2.8.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-haste-map:25.5.1
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ snapdragon:0.8.2
                                      └─ base:0.11.2
                                            └─ cache-base:1.0.1
                                                  └─ has-value:1.0.0
                                                        └─ has-values:1.0.0
                                                              └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

There's currently build step duplication between the docker images and makefile. Just run it through the makefile. Also remove manual nodejs install since the makefile also installs a local copy of nodejs.

Vulnerabilities

DepShield reports that this application's usage of lodash:4.17.19 results in the following vulnerability(s):

• (CVSS 9.8) CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
• (CVSS 7.4) [CVE-2020-8203] Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.
• (CVSS 7.2) [CVE-2021-23337] Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the tem...
• (CVSS 5.3) [CVE-2020-28500] All versions of package lodash; all versions of package org.fujion.webjars:lodas...

Occurrences

lodash:4.17.19 is a transitive dependency introduced by the following direct dependency(s):

• concurrently:5.3.0
        └─ lodash:4.17.19

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ @jest/reporters:25.5.1
                    └─ istanbul-lib-instrument:4.0.1
                          └─ @babel/traverse:7.9.6
                                └─ lodash:4.17.19
              └─ @jest/transform:25.5.1
                    └─ @babel/core:7.9.6
                          └─ @babel/generator:7.9.6
                                └─ lodash:4.17.19
                          └─ @babel/helper-module-transforms:7.9.0
                                └─ lodash:4.17.19
                          └─ lodash:4.17.19
              └─ jest-config:25.5.4
                    └─ jest-environment-jsdom:25.5.0
                          └─ jsdom:15.2.1
                                └─ request-promise-native:1.0.8
                                      └─ request-promise-core:1.1.3
                                            └─ lodash:4.17.19
              └─ jest-snapshot:25.5.1
                    └─ @babel/types:7.9.6
                          └─ lodash:4.17.19

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

• pkg:5.3.0
        └─ prebuild-install:6.0.1
              └─ rc:1.2.8
                    └─ ini:1.3.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-haste-map:25.5.1
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ snapdragon:0.8.2
                                      └─ define-property:0.2.5
                                            └─ is-descriptor:0.1.6
                                                  └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• ts-jest:25.5.1
        └─ lodash.memoize:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• compression:1.7.4
        └─ debug:2.6.9

• express:4.17.1
        └─ body-parser:1.19.0
              └─ debug:2.6.9
        └─ debug:2.6.9
        └─ finalhandler:1.1.2
              └─ debug:2.6.9
        └─ send:0.17.1
              └─ debug:2.6.9

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-haste-map:25.5.1
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ extglob:2.0.4
                                      └─ expand-brackets:2.1.4
                                            └─ debug:2.6.9
                                └─ snapdragon:0.8.2
                                      └─ debug:2.6.9

• morgan:1.10.0
        └─ debug:2.6.9

• serve-index:1.9.1
        └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}