turkdevops / angular Goto Github PK
View Code? Open in Web Editor NEWThis project forked from angular/angular
One framework. Mobile & desktop.
Home Page: https://angular.io
License: MIT License
This project forked from angular/angular
One framework. Mobile & desktop.
Home Page: https://angular.io
License: MIT License
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: /aio/package.json
Path to vulnerable library: /aio/node_modules/trim/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-10-27
Fix Resolution (trim): 0.0.3
Direct dependency fix Resolution (remark): 13.0.0
Step up your Open Source Security Game with Mend here
The config thing npm uses
Library home page: https://registry.npmjs.org/npmconf/-/npmconf-2.0.9.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/npmconf
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions of npmconf before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x.
Publish Date: 2018-05-16
URL: WS-2018-0114
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/653
Release Date: 2018-01-27
Fix Resolution: 2.1.3
Step up your Open Source Security Game with WhiteSource here
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/https-proxy-agent
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
Publish Date: 2018-02-28
URL: WS-2018-0072
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/593
Release Date: 2018-01-27
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
HTTP response freshness testing
Library home page: https://registry.npmjs.org/fresh/-/fresh-0.5.0.tgz
Path to dependency file: /integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/fresh/package.json,/integration/injectable-def/node_modules/fresh/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Publish Date: 2018-06-07
URL: CVE-2017-16119
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/526
Release Date: 2018-06-07
Fix Resolution (fresh): 0.5.2
Direct dependency fix Resolution (lite-server): 2.3.0
Step up your Open Source Security Game with Mend here
HTML enhanced for web apps
Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
XSS vulnerability in angular.js (1.6.8 and before)
Publish Date: 2018-01-06
URL: WS-2018-0022
Base Score Metrics:
Step up your Open Source Security Game with Mend here
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.1.1.tgz
Path to dependency file: /integration/side-effects/package.json
Path to vulnerable library: /integration/side-effects/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (check-side-effects): 0.0.22
Step up your Open Source Security Game with Mend here
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz
Path to dependency file: /integration/injectable-def/package.json
Path to vulnerable library: /integration/injectable-def/node_modules/mime/package.json,/integration/hello_world__systemjs_umd/node_modules/mime/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (lite-server): 2.3.0
Step up your Open Source Security Game with Mend here
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: angular/integration/cli-hello-world/package.json
Path to vulnerable library: angular/integration/cli-hello-world/node_modules/set-value,angular/integration/cli-hello-world-ivy-minimal/node_modules/set-value,angular/integration/cli-hello-world-ivy-compat/node_modules/set-value,angular/integration/platform-server/node_modules/set-value
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: angular/integration/cli-hello-world-ivy-compat/package.json
Path to vulnerable library: angular/integration/cli-hello-world-ivy-compat/node_modules/set-value,angular/integration/cli-hello-world-ivy-minimal/node_modules/set-value,angular/integration/cli-hello-world/node_modules/set-value,angular/integration/platform-server/node_modules/set-value
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/set-value@95e9d99
Release Date: 2019-07-24
Fix Resolution: 2.0.1,3.0.1
Step up your Open Source Security Game with WhiteSource here
gRPC Library for Node - pure JS implementation
Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-0.6.16.tgz
Path to dependency file: /aio/package.json
Path to vulnerable library: /aio/node_modules/@grpc/grpc-js/package.json
Dependency Hierarchy:
gRPC Library for Node - pure JS implementation
Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-0.6.18.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@grpc/grpc-js/package.json
Dependency Hierarchy:
gRPC Library for Node - pure JS implementation
Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-0.7.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@grpc/grpc-js/package.json
Dependency Hierarchy:
gRPC Library for Node - pure JS implementation
Library home page: https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.0.5.tgz
Path to dependency file: /aio/package.json
Path to vulnerable library: /aio/node_modules/@grpc/grpc-js/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
Publish Date: 2020-11-11
URL: CVE-2020-7768
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768
Release Date: 2020-11-11
Fix Resolution (@grpc/grpc-js): 1.1.8
Direct dependency fix Resolution (firebase-tools): 9.0.0
Fix Resolution (@grpc/grpc-js): 1.1.8
Direct dependency fix Resolution (firebase-tools): 9.0.0
Fix Resolution (@grpc/grpc-js): 1.1.8
Direct dependency fix Resolution (firebase-tools): 9.0.0
Fix Resolution (@grpc/grpc-js): 1.1.8
Direct dependency fix Resolution (firebase-tools): 9.0.0
Step up your Open Source Security Game with Mend here
kill trees of processes
Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.1.tgz
Path to dependency file: /integration/platform-server/package.json
Path to vulnerable library: /integration/platform-server/node_modules/tree-kill/package.json
Dependency Hierarchy:
kill trees of processes
Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.0.tgz
Path to dependency file: /integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/tree-kill/package.json,/integration/injectable-def/node_modules/tree-kill/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Publish Date: 2019-12-18
URL: CVE-2019-15599
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/701183
Release Date: 2019-12-18
Fix Resolution (tree-kill): 1.2.2
Direct dependency fix Resolution (concurrently): 3.2.0
Fix Resolution (tree-kill): 1.2.2
Direct dependency fix Resolution (concurrently): 3.5.0
Step up your Open Source Security Game with Mend here
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: angular/integration/cli-hello-world-ivy-compat/package.json
Path to vulnerable library: angular/integration/cli-hello-world-ivy-compat/node_modules/mixin-deep,angular/integration/cli-hello-world/node_modules/mixin-deep,angular/integration/platform-server/node_modules/mixin-deep,angular/integration/cli-hello-world-ivy-minimal/node_modules/mixin-deep
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.3.tgz
Path to dependency file: /integration/cli-hello-world-lazy/package.json
Path to vulnerable library: /integration/cli-hello-world-lazy/node_modules/handlebars/package.json,/integration/cli-hello-world-lazy-rollup/node_modules/handlebars/package.json
Dependency Hierarchy:
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz
Path to dependency file: /integration/cli-hello-world-ivy-i18n/package.json
Path to vulnerable library: /integration/cli-hello-world-ivy-i18n/node_modules/handlebars/package.json,/integration/ivy-i18n/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Publish Date: 2020-09-30
URL: CVE-2019-20922
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1
Step up your Open Source Security Game with Mend here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with WhiteSource here
An XML builder for node.js
Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlbuilder/package.json
Dependency Hierarchy:
An XML builder for node.js
Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-9.0.4.tgz
Path to dependency file: /integration/cli-hello-world/package.json
Path to vulnerable library: /integration/cli-hello-world/node_modules/xmlbuilder/package.json,/integration/hello_world__systemjs_umd/node_modules/xmlbuilder/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.
Publish Date: 2018-02-08
URL: WS-2018-0625
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-02-08
Fix Resolution (xmlbuilder): 9.0.5
Direct dependency fix Resolution (protractor): 5.4.4
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.11.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/lodash/package.json,/node_modules/lodash/package.json,/integration/injectable-def/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
The modern build of lodash’s `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash.template/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /integration/injectable-def/package.json
Path to vulnerable library: /integration/injectable-def/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /integration/cli-hello-world-ivy-minimal/package.json
Path to vulnerable library: /integration/cli-hello-world-ivy-minimal/node_modules/lodash/package.json,/integration/cli-hello-world-ivy-compat/node_modules/lodash/package.json,/integration/platform-server/node_modules/lodash/package.json,/integration/cli-hello-world/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (concurrently): 3.5.0
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (concurrently): 3.5.0
Step up your Open Source Security Game with Mend here
A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/adm-zip
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
adm-zip versions before 0.4.9 are vulnerable to Arbitrary File Write due to extraction of a specifically crafted archive that contains path traversal filenames
Publish Date: 2018-04-22
URL: WS-2019-0231
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/994
Release Date: 2019-09-09
Fix Resolution: 0.4.9
Step up your Open Source Security Game with WhiteSource here
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.10.6/moment.min.js
Path to dependency file: angular/aio/node_modules/validate.js/examples.html
Path to vulnerable library: angular/aio/node_modules/validate.js/examples.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2016-4055
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055
Release Date: 2017-01-23
Fix Resolution: 2.11.2
Step up your Open Source Security Game with WhiteSource here
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.10.6/moment.min.js
Path to dependency file: angular/aio/node_modules/validate.js/examples.html
Path to vulnerable library: angular/aio/node_modules/validate.js/examples.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.
Publish Date: 2016-10-24
URL: WS-2016-0075
Base Score Metrics:
Type: Upgrade version
Origin: moment/moment#3525
Release Date: 2016-10-24
Fix Resolution: 2.15.2
Step up your Open Source Security Game with WhiteSource here
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /integration/cli-hello-world-lazy-rollup/package.json
Path to vulnerable library: /integration/cli-hello-world-lazy-rollup/node_modules/kind-of/package.json,/integration/ng_update_migrations/node_modules/kind-of/package.json,/integration/cli-hello-world-ivy-compat/node_modules/kind-of/package.json,/integration/cli-hello-world/node_modules/kind-of/package.json,/integration/platform-server/node_modules/kind-of/package.json,/integration/cli-hello-world-ivy-minimal/node_modules/kind-of/package.json,/integration/cli-hello-world-lazy/node_modules/kind-of/package.json,/integration/cli-hello-world-ivy-i18n/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2020-08-24
Fix Resolution: 6.0.3
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.js
Path to dependency file: /aio/content/examples/upgrade-phonecat-1-typescript/app/index.html
Path to vulnerable library: /aio/content/examples/upgrade-phonecat-1-typescript/app/index.html,/aio/content/examples/upgrade-phonecat-2-hybrid/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://registry.npmjs.org/jquery/-/jquery-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1
Step up your Open Source Security Game with Mend here
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: /integration/dynamic-compiler/package.json
Path to vulnerable library: /integration/dynamic-compiler/node_modules/object-path/package.json,/integration/ng_elements/node_modules/object-path/package.json,/integration/hello_world__systemjs_umd/node_modules/object-path/package.json,/integration/hello_world__closure/node_modules/object-path/package.json,/integration/ngcc/node_modules/object-path/package.json,/integration/injectable-def/node_modules/object-path/package.json,/integration/i18n/node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (lite-server): 2.3.0
Step up your Open Source Security Game with Mend here
Tiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.3.tgz
Path to dependency file: angular/integration/injectable-def/package.json
Path to vulnerable library: angular/integration/injectable-def/node_modules/ms/package.json,angular/integration/hello_world__systemjs_umd/node_modules/ms/package.json,angular/node_modules/ms/package.json
Dependency Hierarchy:
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: angular/packages/zone.js/package.json
Path to vulnerable library: angular/packages/zone.js/node_modules/ms/package.json,angular/integration/hello_world__systemjs_umd/node_modules/ms/package.json,angular/integration/injectable-def/node_modules/ms/package.json
Dependency Hierarchy:
Tiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-1.0.0.tgz
Path to dependency file: angular/integration/injectable-def/package.json
Path to vulnerable library: angular/integration/injectable-def/node_modules/ms/package.json,angular/integration/hello_world__systemjs_umd/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
Base Score Metrics:
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution: 0.6.0
Step up your Open Source Security Game with Mend here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with WhiteSource here
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-3.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz
Path to dependency file: /aio/aio-builds-setup/dockerbuild/scripts-js/package.json
Path to vulnerable library: /aio/aio-builds-setup/dockerbuild/scripts-js/package.json,/integration/cli-hello-world-ivy-i18n/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.7.tgz
Path to dependency file: /aio/aio-builds-setup/dockerbuild/scripts-js/package.json
Path to vulnerable library: /aio/aio-builds-setup/dockerbuild/scripts-js/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gxpj-cx7g-858c
Release Date: 2018-04-26
Fix Resolution (debug): 3.2.7
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1100.0
Fix Resolution (debug): 3.2.7
Direct dependency fix Resolution (@angular/localize): 9.0.0
Fix Resolution (debug): 3.2.7
Direct dependency fix Resolution (jasmine): 3.6.2
Step up your Open Source Security Game with Mend here
A simple static file server middleware
Library home page: https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz
Path to dependency file: angular/package.json
Path to vulnerable library: angular/node_modules/ecstatic/package.json,angular/integration/bazel/node_modules/ecstatic/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions of ecstatic prior to 4.1.2 fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains.
Publish Date: 2019-04-27
URL: WS-2019-0066
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/830/versions
Release Date: 2019-05-02
Fix Resolution: 4.1.2
Step up your Open Source Security Game with WhiteSource here
Recursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Path to dependency file: /integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/deep-extend/package.json,/integration/cli-hello-world/node_modules/deep-extend/package.json,/integration/injectable-def/node_modules/deep-extend/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
Base Score Metrics:
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
Release Date: 2018-07-03
Fix Resolution: 0.5.1
Step up your Open Source Security Game with Mend here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /integration/i18n/package.json
Path to vulnerable library: /integration/i18n/package.json,/integration/injectable-def/package.json,/integration/platform-server/package.json,/integration/hello_world__closure/package.json,/integration/ng_update/package.json,/integration/side-effects/package.json,/integration/ng_elements/package.json,/integration/cli-hello-world-ivy-i18n/package.json,/package.json,/aio/aio-builds-setup/dockerbuild/scripts-js/package.json,/integration/terser/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (protractor): 5.4.4
Step up your Open Source Security Game with Mend here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.3.tgz
Path to dependency file: /integration/cli-hello-world-lazy/package.json
Path to vulnerable library: /integration/cli-hello-world-lazy/node_modules/handlebars/package.json,/integration/cli-hello-world-lazy-rollup/node_modules/handlebars/package.json
Dependency Hierarchy:
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz
Path to dependency file: /integration/cli-hello-world-ivy-i18n/package.json
Path to vulnerable library: /integration/cli-hello-world-ivy-i18n/node_modules/handlebars/package.json,/integration/ivy-i18n/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (karma-coverage-istanbul-reporter): 2.1.1
Step up your Open Source Security Game with Mend here
HTML enhanced for web apps
Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Both Firefox and Safari are vulnerable to XSS if we use an inert document created via document.implementation.createHTMLDocument()
.
Publish Date: 2017-05-25
URL: WS-2017-0268
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.3.tgz
Path to dependency file: angular/integration/cli-hello-world-lazy/package.json
Path to vulnerable library: angular/integration/cli-hello-world-lazy/node_modules/handlebars/package.json,angular/integration/cli-hello-world-lazy-rollup/node_modules/handlebars/package.json
Dependency Hierarchy:
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz
Path to dependency file: angular/integration/cli-hello-world-ivy-i18n/package.json
Path to vulnerable library: angular/integration/cli-hello-world-ivy-i18n/node_modules/handlebars/package.json,angular/integration/ivy-i18n/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-14
URL: WS-2019-0493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-11-14
Fix Resolution: handlebars - 3.0.8,4.5.2
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.3.tgz
Path to dependency file: angular/integration/cli-hello-world-lazy/package.json
Path to vulnerable library: angular/integration/cli-hello-world-lazy/node_modules/handlebars/package.json,angular/integration/cli-hello-world-lazy-rollup/node_modules/handlebars/package.json
Dependency Hierarchy:
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.2.tgz
Path to dependency file: angular/integration/cli-hello-world-ivy-i18n/package.json
Path to vulnerable library: angular/integration/cli-hello-world-ivy-i18n/node_modules/handlebars/package.json,angular/integration/ivy-i18n/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-19
URL: WS-2019-0492
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-11-19
Fix Resolution: handlebars - 3.0.8,4.5.3
Step up your Open Source Security Game with WhiteSource here
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/marked/package.json,/aio/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (marked): 1.1.1
Direct dependency fix Resolution (firebase-tools): 10.1.2
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/integration/cli-hello-world-ivy-i18n/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1100.0
Step up your Open Source Security Game with Mend here
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz
Path to dependency file: /integration/injectable-def/package.json
Path to vulnerable library: /integration/injectable-def/node_modules/fstream/package.json,/integration/hello_world__systemjs_umd/node_modules/fstream/package.json,/integration/cli-hello-world/node_modules/fstream/package.json
Dependency Hierarchy:
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fstream/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Publish Date: 2019-07-02
URL: CVE-2019-13173
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
Release Date: 2020-08-24
Fix Resolution (fstream): 1.0.12
Direct dependency fix Resolution (browserstacktunnel-wrapper): 2.0.4
Step up your Open Source Security Game with Mend here
A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk
Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz
Path to dependency file: /integration/injectable-def/package.json
Path to vulnerable library: /integration/injectable-def/node_modules/adm-zip/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Publish Date: 2018-07-25
URL: CVE-2018-1002204
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1002204
Release Date: 2018-07-25
Fix Resolution (adm-zip): 0.4.9
Direct dependency fix Resolution (protractor): 5.4.4
Step up your Open Source Security Game with Mend here
Parse the value of the Content-Type header
Library home page: https://registry.npmjs.org/content-type-parser/-/content-type-parser-1.0.2.tgz
Path to dependency file: /aio/package.json
Path to vulnerable library: /aio/node_modules/content-type-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.
Publish Date: 2017-12-10
URL: WS-2017-3757
Base Score Metrics:
Step up your Open Source Security Game with Mend here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with WhiteSource here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: /integration/hello_world__systemjs_umd/node_modules/tar/package.json,/integration/injectable-def/node_modules/tar/package.json,/integration/cli-hello-world/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-04-30
Fix Resolution: 2.2.2,4.4.2
Step up your Open Source Security Game with Mend here
Encode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Path to dependency file: /integration/injectable-def/package.json
Path to vulnerable library: /integration/injectable-def/node_modules/stringstream/package.json,/integration/cli-hello-world/node_modules/stringstream/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Publish Date: 2020-12-03
URL: CVE-2018-21270
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21270
Release Date: 2020-12-03
Fix Resolution: 0.0.6
Step up your Open Source Security Game with Mend here
HTML enhanced for web apps
Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
On Firefox there is a XSS vulnerability in case a malicious attacker can write into the xml:base
attribute on an SVG anchor.
Publish Date: 2018-01-06
URL: WS-2018-0015
Base Score Metrics:
Step up your Open Source Security Game with Mend here
HTML enhanced for web apps
Library home page: https://registry.npmjs.org/angular/-/angular-1.5.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular-1.5@npm:angular/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.
Publish Date: 2016-09-20
URL: WS-2018-0001
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-28hp-fgcr-2r4h
Release Date: 2016-09-20
Fix Resolution: 1.6.0-rc.0
Step up your Open Source Security Game with Mend here
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.2.0.tgz
Path to dependency file: /packages/zone.js/package.json
Path to vulnerable library: /packages/zone.js/node_modules/diff/package.json
Dependency Hierarchy:
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Path to dependency file: /packages/zone.js/package.json
Path to vulnerable library: /packages/zone.js/node_modules/diff/package.json
Dependency Hierarchy:
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.4.0.tgz
Path to dependency file: /integration/cli-hello-world/package.json
Path to vulnerable library: /integration/cli-hello-world/node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (mocha): 5.0.3
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (tslint): 5.19.0
Step up your Open Source Security Game with Mend here
Object value retrieval given a string path
Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
pathval before version 1.1.1 is vulnerable to prototype pollution.
Publish Date: 2020-10-26
URL: CVE-2020-7751
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751
Release Date: 2020-10-26
Fix Resolution (pathval): 1.1.1
Direct dependency fix Resolution (chai): 4.3.0
Step up your Open Source Security Game with Mend here
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.12.tgz
Path to dependency file: /integration/injectable-def/package.json
Path to vulnerable library: /integration/injectable-def/node_modules/ua-parser-js/package.json,/integration/hello_world__systemjs_umd/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Path to dependency file: /integration/hello_world__closure/package.json
Path to vulnerable library: /integration/hello_world__closure/node_modules/ua-parser-js/package.json,/integration/ngcc/node_modules/ua-parser-js/package.json,/integration/dynamic-compiler/node_modules/ua-parser-js/package.json,/integration/i18n/node_modules/ua-parser-js/package.json,/integration/ng_elements/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Path to dependency file: /aio/package.json
Path to vulnerable library: /aio/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (lite-server): 2.3.0
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (lite-server): 2.3.0
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (karma): 5.2.3
Step up your Open Source Security Game with Mend here
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to dependency file: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Path to vulnerable library: angular/aio/node_modules/lighthouse/docs/recipes/gulp/public/index.html
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with WhiteSource here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Path to dependency file: /integration/ngcc/package.json
Path to vulnerable library: /integration/ngcc/node_modules/axios/package.json,/integration/hello_world__closure/node_modules/axios/package.json,/integration/i18n/node_modules/axios/package.json,/integration/dynamic-compiler/node_modules/axios/package.json,/integration/ng_elements/node_modules/axios/package.json
Dependency Hierarchy:
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (lite-server): 2.3.0
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (firebase-tools): 8.0.0
Step up your Open Source Security Game with Mend here
A library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz
Path to dependency file: angular/integration/hello_world__systemjs_umd/package.json
Path to vulnerable library: angular/integration/hello_world__systemjs_umd/node_modules/sshpk/package.json,angular/integration/injectable-def/node_modules/sshpk/package.json
Dependency Hierarchy:
Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3
Found in base branch: labs/router
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: 2018-04-25
URL: WS-2018-0084
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/606
Release Date: 2018-01-27
Fix Resolution: 1.14.1
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.