Git Product home page Git Product logo

atom's Introduction

Atom

Build status Dependency Status Join the Atom Community on Slack

Atom is a hackable text editor for the 21st century, built on Electron, and based on everything we love about our favorite editors. We designed it to be deeply customizable, but still approachable using the default configuration.

Atom

Atom Screenshot

Visit atom.io to learn more or visit the Atom forum.

Follow @AtomEditor on Twitter for important announcements.

This project adheres to the Contributor Covenant code of conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to [email protected].

Documentation

If you want to read about using Atom or developing packages in Atom, the Atom Flight Manual is free and available online. You can find the source to the manual in atom/flight-manual.atom.io.

The API reference for developing packages is also documented on Atom.io.

Installing

Prerequisites

macOS

Download the latest Atom release.

Atom will automatically update when a new release is available.

Windows

Download the latest Atom installer. AtomSetup.exe is 32-bit. For 64-bit systems, download AtomSetup-x64.exe.

Atom will automatically update when a new release is available.

You can also download atom-windows.zip (32-bit) or atom-x64-windows.zip (64-bit) from the releases page. The .zip version will not automatically update.

Using Chocolatey? Run cinst Atom to install the latest version of Atom.

Linux

Atom is only available for 64-bit Linux systems.

Configure your distribution's package manager to install and update Atom by following the Linux installation instructions in the Flight Manual. You will also find instructions on how to install Atom's official Linux packages without using a package repository, though you will not get automatic updates after installing Atom this way.

Archive extraction

An archive is available for people who don't want to install atom as root.

This version enables you to install multiple Atom versions in parallel. It has been built on Ubuntu 64-bit, but should be compatible with other Linux distributions.

  1. Install dependencies (on Ubuntu): sudo apt install git gconf2 gconf-service libgtk2.0-0 libudev1 libgcrypt20 libnotify4 libxtst6 libnss3 python gvfs-bin xdg-utils libcap2
  2. Download atom-amd64.tar.gz from the Atom releases page.
  3. Run tar xf atom-amd64.tar.gz in the directory where you want to extract the Atom folder.
  4. Launch Atom using the installed atom command from the newly extracted directory.

The Linux version does not currently automatically update so you will need to repeat these steps to upgrade to future releases.

Building

Discussion

License

MIT

When using the Atom or other GitHub logos, be sure to follow the GitHub logo guidelines.

atom's People

Contributors

50wliu avatar as-cii avatar ben3eee avatar benogle avatar binarymuse avatar bolinfest avatar damieng avatar darangi avatar daviwil avatar defunkt avatar gjtorikian avatar izuzak avatar jasonrudolph avatar jonrohan avatar joshaber avatar kevinnathan avatar kevinsawicki avatar kuychaco avatar lee-dohm avatar matthewwithanm avatar maxbrunsfeld avatar mnquintana avatar probablycorey-and-nathan avatar probablykevin avatar rafeca avatar simurai avatar smashwilson avatar thedaniel avatar thomasjo avatar zcbenz avatar

Stargazers

 avatar

Watchers

 avatar

atom's Issues

CVE-2019-10744 (Critical) detected in multiple libraries

CVE-2019-10744 - Critical Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.10.tgz, lodash-4.17.11.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/script/vsts/node_modules/publish-release/node_modules/lodash/package.json,/script/node_modules/babel-plugin-proto-to-assign/node_modules/lodash/package.json,/script/node_modules/babel-core/node_modules/lodash/package.json,/script/vsts/node_modules/inquirer/node_modules/lodash/package.json

Dependency Hierarchy:

  • publish-release-1.6.0.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /script/vsts/package.json

Path to vulnerable library: /script/vsts/node_modules/lodash/package.json,/script/node_modules/lodash/package.json

Dependency Hierarchy:

  • rest-15.9.5.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/@babel/traverse/node_modules/lodash/package.json,/script/node_modules/table/node_modules/lodash/package.json,/script/node_modules/inquirer/node_modules/lodash/package.json,/script/node_modules/@babel/generator/node_modules/lodash/package.json,/script/node_modules/@babel/types/node_modules/lodash/package.json,/script/node_modules/eslint/node_modules/lodash/package.json,/script/node_modules/eslint-plugin-import/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.17.2.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (@octokit/rest): 15.9.6

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (eslint-plugin-import): 2.17.3


Step up your Open Source Security Game with Mend here

CVE-2021-27290 (High) detected in multiple libraries - autoclosed

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Libraries - ssri-5.3.0.tgz, ssri-6.0.1.tgz, ssri-6.0.0.tgz

ssri-5.3.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/npm-registry-client/node_modules/ssri/package.json,/apm/node_modules/atom-package-manager/node_modules/npm/node_modules/npm-registry-fetch/node_modules/ssri/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz
      • npm-registry-client-8.5.1.tgz
        • ssri-5.3.0.tgz (Vulnerable Library)
ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • npm-6.14.6.tgz (Root Library)
    • ssri-6.0.1.tgz (Vulnerable Library)
ssri-6.0.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz
      • ssri-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (npm): 6.14.7

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (atom-package-manager): 2.5.0


Step up your Open Source Security Game with Mend here

WS-2021-0154 (Medium) detected in glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz - autoclosed

WS-2021-0154 - Medium Severity Vulnerability

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/glob-parent/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • glob-parent-2.0.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • globby-8.0.1.tgz
      • fast-glob-2.2.2.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2


Step up your Open Source Security Game with WhiteSource here

CVE-2021-33502 (High) detected in normalize-url-2.0.1.tgz - autoclosed

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Library - normalize-url-2.0.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz

Path to dependency file: atom/script/vsts/package.json

Path to vulnerable library: atom/script/vsts/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • download-7.1.0.tgz (Root Library)
    • got-8.3.2.tgz
      • cacheable-request-2.1.4.tgz
        • normalize-url-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1


Step up your Open Source Security Game with WhiteSource here

WS-2018-0628 (Medium) detected in marked-0.3.19.js, marked-0.3.19.tgz - autoclosed

WS-2018-0628 - Medium Severity Vulnerability

Vulnerable Libraries - marked-0.3.19.js, marked-0.3.19.tgz

marked-0.3.19.js

A markdown parser built for speed

Library home page: https://cdnjs.cloudflare.com/ajax/libs/marked/0.3.19/marked.js

Path to dependency file: atom/node_modules/settings-view/node_modules/marked/www/demo.html

Path to vulnerable library: atom/node_modules/settings-view/node_modules/marked/www/../lib/marked.js,atom/packages/deprecation-cop/node_modules/marked/www/../lib/marked.js,atom/node_modules/notifications/node_modules/marked/www/../lib/marked.js,atom/node_modules/roaster/node_modules/marked/www/../lib/marked.js

Dependency Hierarchy:

  • marked-0.3.19.js (Vulnerable Library)
marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/settings-view/node_modules/marked/package.json,atom/node_modules/roaster/node_modules/marked/package.json,atom/packages/deprecation-cop/node_modules/marked/package.json,atom/node_modules/notifications/node_modules/marked/package.json

Dependency Hierarchy:

  • marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/0.4.0

Release Date: 2018-04-16

Fix Resolution: marked - 0.4.0


Step up your Open Source Security Game with WhiteSource here

WS-2020-0342 (Medium) detected in is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz - autoclosed

WS-2020-0342 - Medium Severity Vulnerability

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

is-my-json-valid-2.19.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz

Path to dependency file: atom/packages/welcome/package.json

Path to vulnerable library: atom/packages/welcome/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.19.0.tgz (Vulnerable Library)
is-my-json-valid-2.20.0.tgz

A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz

Path to dependency file: atom/packages/dalek/package.json

Path to vulnerable library: atom/packages/dalek/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.20.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-27

Fix Resolution: is-my-json-valid - 2.20.2


Step up your Open Source Security Game with WhiteSource here

CVE-2021-33623 (High) detected in trim-newlines-1.0.0.tgz, trim-newlines-2.0.0.tgz - autoclosed

CVE-2021-33623 - High Severity Vulnerability

Vulnerable Libraries - trim-newlines-1.0.0.tgz, trim-newlines-2.0.0.tgz

trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /repo-with-submodules/You-Dont-Need-jQuery/package.json

Path to vulnerable library: atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/trim-newlines/package.json,atom/script/node_modules/trim-newlines/package.json,atom/script/vsts/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • karma-coverage-0.5.5.tgz (Root Library)
    • dateformat-1.0.12.tgz
      • meow-3.7.0.tgz
        • trim-newlines-1.0.0.tgz (Vulnerable Library)
trim-newlines-2.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-2.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/stylelint/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • trim-newlines-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution: trim-newlines - 3.0.1, 4.0.1


Step up your Open Source Security Game with WhiteSource here

WS-2017-3772 (High) detected in underscore.string-3.3.5.tgz - autoclosed

WS-2017-3772 - High Severity Vulnerability

Vulnerable Library - underscore.string-3.3.5.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/underscore.string/package.json

Dependency Hierarchy:

  • donna-1.0.16.tgz (Root Library)
    • underscore.string-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.


Step up your Open Source Security Game with WhiteSource here

CVE-2018-20834 (High) detected in tar-2.2.1.tgz - autoclosed

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz
      • node-gyp-3.7.0.tgz
        • tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834

Release Date: 2019-04-30

Fix Resolution: tar - 2.2.2,4.4.2


Step up your Open Source Security Game with WhiteSource here

DepShield encountered errors while building your project

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.

* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum

CVE-2019-10747 (High) detected in set-value-0.4.3.tgz, set-value-2.0.0.tgz

CVE-2019-10747 - High Severity Vulnerability

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • globby-8.0.1.tgz
      • fast-glob-2.2.2.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • cache-base-1.0.1.tgz
                • union-value-1.0.0.tgz
                  • set-value-0.4.3.tgz (Vulnerable Library)
set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/set-value/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • globby-8.0.1.tgz
      • fast-glob-2.2.2.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • cache-base-1.0.1.tgz
                • set-value-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (stylelint): 9.4.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (stylelint): 9.4.0


Step up your Open Source Security Game with Mend here

CVE-2019-16728 (Medium) detected in dompurify-1.0.11.tgz

CVE-2019-16728 - Medium Severity Vulnerability

Vulnerable Library - dompurify-1.0.11.tgz

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

Publish Date: 2019-09-24

URL: CVE-2019-16728

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16728

Release Date: 2019-09-24

Fix Resolution: 2.0.1


Step up your Open Source Security Game with Mend here

WS-2021-0152 (High) detected in color-string-0.2.4.tgz

WS-2021-0152 - High Severity Vulnerability

Vulnerable Library - color-string-0.2.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

  • color-0.7.3.tgz (Root Library)
    • color-string-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (color): 1.0.0


Step up your Open Source Security Game with Mend here

WS-2020-0344 (High) detected in is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz - autoclosed

WS-2020-0344 - High Severity Vulnerability

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

is-my-json-valid-2.19.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.19.0.tgz (Vulnerable Library)
is-my-json-valid-2.20.0.tgz

A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz

Path to dependency file: /packages/dalek/package.json

Path to vulnerable library: /packages/dalek/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.20.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (standard): 9.0.0-beta.0


Step up your Open Source Security Game with Mend here

WS-2018-0628 (Medium) detected in marked-0.3.19.tgz

WS-2018-0628 - Medium Severity Vulnerability

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/roaster/node_modules/marked/package.json,/packages/deprecation-cop/node_modules/marked/package.json,/node_modules/notifications/node_modules/marked/package.json,/node_modules/settings-view/node_modules/marked/package.json

Dependency Hierarchy:

  • marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-04-16

Fix Resolution: 0.4.0


Step up your Open Source Security Game with Mend here

CVE-2021-23382 (Medium) detected in multiple libraries - autoclosed

CVE-2021-23382 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-5.2.4.tgz, postcss-6.0.22.tgz, postcss-5.2.18.tgz, postcss-6.0.23.tgz

postcss-5.2.4.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.4.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/postcss/package.json

Dependency Hierarchy:

  • postcss-5.2.4.tgz (Vulnerable Library)
postcss-6.0.22.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.22.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/postcss-sass/node_modules/postcss/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-sass-0.3.2.tgz
      • postcss-6.0.22.tgz (Vulnerable Library)
postcss-5.2.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/postcss-less/node_modules/postcss/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-less-2.0.0.tgz
      • postcss-5.2.18.tgz (Vulnerable Library)
postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/postcss/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-6.0.23.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13


Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in multiple libraries

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.10.tgz, lodash-4.17.15.tgz, lodash-4.17.11.tgz

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/task-lists/node_modules/lodash/package.json,/node_modules/roaster/node_modules/lodash/package.json

Dependency Hierarchy:

  • settings-view-0.261.3.tgz (Root Library)
    • roaster-1.2.1.tgz
      • cheerio-0.15.0.tgz
        • lodash-2.4.2.tgz (Vulnerable Library)
lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

  • babel-core-5.8.38.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)
lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /script/vsts/package.json

Path to vulnerable library: /script/vsts/node_modules/lodash/package.json,/script/node_modules/lodash/package.json

Dependency Hierarchy:

  • rest-15.9.5.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)
lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Dependency Hierarchy:

  • mocha-multi-reporters-1.1.7.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/@babel/traverse/node_modules/lodash/package.json,/script/node_modules/table/node_modules/lodash/package.json,/script/node_modules/inquirer/node_modules/lodash/package.json,/script/node_modules/@babel/generator/node_modules/lodash/package.json,/script/node_modules/@babel/types/node_modules/lodash/package.json,/script/node_modules/eslint/node_modules/lodash/package.json,/script/node_modules/eslint-plugin-import/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (babel-core): 6.9.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@octokit/rest): 15.9.6

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (mocha-multi-reporters): 1.5.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (eslint): 6.0.0


Step up your Open Source Security Game with Mend here

CVE-2019-9023 (High) detected in oniguruma1d22eef3a734eb531fb08ced62b44a9ddb2da9a3, https://source.codeaurora.org/quic/lc/external/github.com/ellzey/libevhtp/0.3.6 - autoclosed

CVE-2019-9023 - High Severity Vulnerability

Vulnerable Libraries - oniguruma1d22eef3a734eb531fb08ced62b44a9ddb2da9a3, https://source.codeaurora.org/quic/lc/external/github.com/ellzey/libevhtp/0.3.6

Vulnerability Details

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Publish Date: 2019-02-22

URL: CVE-2019-9023

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9023

Release Date: 2019-02-22

Fix Resolution: 5.6.40,7.1.26,7.2.14,7.3.1


Step up your Open Source Security Game with WhiteSource here

CVE-2017-16024 (Medium) detected in sync-exec-0.5.0.tgz - autoclosed

CVE-2017-16024 - Medium Severity Vulnerability

Vulnerable Library - sync-exec-0.5.0.tgz

Synchronous exec with status code support. Requires no external dependencies, no need for node-gyp compilations etc.

Library home page: https://registry.npmjs.org/sync-exec/-/sync-exec-0.5.0.tgz

Path to dependency file: /packages/line-ending-selector/package.json

Path to vulnerable library: /packages/line-ending-selector/node_modules/sync-exec/package.json

Dependency Hierarchy:

  • standard-5.4.1.tgz (Root Library)
    • standard-format-1.6.10.tgz
      • esformatter-0.8.2.tgz
        • npm-run-2.0.0.tgz
          • sync-exec-0.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Publish Date: 2018-06-04

URL: CVE-2017-16024

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16024

Release Date: 2018-06-04

Fix Resolution: no_fix


Step up your Open Source Security Game with Mend here

WS-2020-0342 (High) detected in is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz - autoclosed

WS-2020-0342 - High Severity Vulnerability

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

is-my-json-valid-2.19.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.19.0.tgz (Vulnerable Library)
is-my-json-valid-2.20.0.tgz

A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz

Path to dependency file: /packages/dalek/package.json

Path to vulnerable library: /packages/dalek/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.20.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-27

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (standard): 9.0.0-beta.0


Step up your Open Source Security Game with Mend here

CVE-2021-23382 (Medium) detected in multiple libraries

CVE-2021-23382 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-5.2.4.tgz, postcss-6.0.22.tgz, postcss-5.2.18.tgz, postcss-6.0.23.tgz

postcss-5.2.4.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy:

  • postcss-5.2.4.tgz (Vulnerable Library)
postcss-6.0.22.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.22.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/postcss-sass/node_modules/postcss/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-sass-0.3.2.tgz
      • postcss-6.0.22.tgz (Vulnerable Library)
postcss-5.2.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/postcss-less/node_modules/postcss/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-less-2.0.0.tgz
      • postcss-5.2.18.tgz (Vulnerable Library)
postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/postcss/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-6.0.23.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (stylelint): 9.6.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (stylelint): 9.6.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (stylelint): 9.6.0


Step up your Open Source Security Game with Mend here

CVE-2021-33587 (High) detected in css-what-2.1.3.tgz - autoclosed

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-2.1.3.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.3.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/css-what/package.json,atom/script/node_modules/css-what/package.json

Dependency Hierarchy:

  • cheerio-1.0.0-rc.2.tgz (Root Library)
    • css-select-1.2.0.tgz
      • css-what-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1


Step up your Open Source Security Game with WhiteSource here

WS-2017-0247 (Low) detected in ms-0.7.2.tgz, ms-0.7.1.tgz - autoclosed

WS-2017-0247 - Low Severity Vulnerability

Vulnerable Libraries - ms-0.7.2.tgz, ms-0.7.1.tgz

ms-0.7.2.tgz

Tiny milisecond conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz

Path to dependency file: /repo-with-submodules/You-Dont-Need-jQuery/package.json

Path to vulnerable library: atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/socket.io-adapter/node_modules/ms/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/engine.io/node_modules/ms/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/socket.io-client/node_modules/ms/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/socket.io/node_modules/ms/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/engine.io-client/node_modules/ms/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • socket.io-1.7.4.tgz
      • socket.io-adapter-0.5.0.tgz
        • debug-2.3.3.tgz
          • ms-0.7.2.tgz (Vulnerable Library)
ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/mocha/node_modules/ms/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/socket.io-parser/node_modules/ms/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/mocha/node_modules/ms/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • debug-2.2.0.tgz
      • ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1


Step up your Open Source Security Game with WhiteSource here

WS-2018-0590 (High) detected in diff-2.2.3.tgz

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-2.2.3.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-2.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • text-buffer-13.18.6.tgz (Root Library)
    • diff-2.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution: 3.5.0


Step up your Open Source Security Game with Mend here

CVE-2020-28469 (High) detected in glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • klaw-sync-1.1.2.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • parse-glob-3.0.4.tgz
        • glob-base-0.3.0.tgz
          • glob-parent-2.0.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • globby-8.0.1.tgz
      • fast-glob-2.2.2.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (klaw-sync): 2.0.0

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (stylelint): 13.0.0


Step up your Open Source Security Game with Mend here

CVE-2020-7754 (High) detected in npm-user-validate-1.0.0.tgz - autoclosed

CVE-2020-7754 - High Severity Vulnerability

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/npm-user-validate/package.json,/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz
      • npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Publish Date: 2020-10-27

URL: CVE-2020-7754

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754

Release Date: 2020-10-27

Fix Resolution (npm-user-validate): 1.0.1

Direct dependency fix Resolution (atom-package-manager): 2.5.0


Step up your Open Source Security Game with Mend here

CVE-2020-7754 (High) detected in npm-user-validate-1.0.0.tgz - autoclosed

CVE-2020-7754 - High Severity Vulnerability

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

  • npm-6.14.6.tgz (Root Library)
    • npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Publish Date: 2020-10-27

URL: CVE-2020-7754

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754

Release Date: 2020-07-21

Fix Resolution: 1.0.1


Step up your Open Source Security Game with WhiteSource here

WS-2020-0180 (High) detected in npm-user-validate-1.0.0.tgz - autoclosed

WS-2020-0180 - High Severity Vulnerability

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/npm-user-validate/package.json,/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz
      • npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution (npm-user-validate): 1.0.1

Direct dependency fix Resolution (atom-package-manager): 2.5.0


Step up your Open Source Security Game with Mend here

CVE-2017-16113 (High) detected in parsejson-0.0.3.tgz - autoclosed

CVE-2017-16113 - High Severity Vulnerability

Vulnerable Library - parsejson-0.0.3.tgz

Method that parses a JSON string and returns a JSON object

Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz

Path to dependency file: /repo-with-submodules/You-Dont-Need-jQuery/package.json

Path to vulnerable library: /spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/parsejson/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • socket.io-1.7.4.tgz
      • socket.io-client-1.7.4.tgz
        • engine.io-client-1.8.6.tgz
          • parsejson-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Publish Date: 2018-06-07

URL: CVE-2017-16113

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16113

Release Date: 2018-06-07

Fix Resolution: no_fix


Step up your Open Source Security Game with Mend here

CVE-2021-33587 (High) detected in css-what-2.1.3.tgz - autoclosed

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-2.1.3.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.3.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/css-what/package.json

Dependency Hierarchy:

  • cheerio-1.0.0-rc.2.tgz (Root Library)
    • css-select-1.2.0.tgz
      • css-what-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (cheerio): 1.0.0-rc.6


Step up your Open Source Security Game with WhiteSource here

CVE-2019-20149 (High) detected in kind-of-6.0.2.tgz

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/randomatic/node_modules/kind-of/package.json,/script/node_modules/define-property/node_modules/kind-of/package.json,/script/node_modules/snapdragon-node/node_modules/kind-of/package.json,/script/node_modules/nanomatch/node_modules/kind-of/package.json,/script/node_modules/fast-glob/node_modules/kind-of/package.json,/script/node_modules/base/node_modules/kind-of/package.json

Dependency Hierarchy:

  • klaw-sync-1.1.2.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz
        • expand-range-1.8.2.tgz
          • fill-range-2.2.4.tgz
            • randomatic-3.0.0.tgz
              • kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (klaw-sync): 2.0.0


Step up your Open Source Security Game with Mend here

CVE-2020-7753 (High) detected in trim-0.0.1.tgz - autoclosed

CVE-2020-7753 - High Severity Vulnerability

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/trim/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • postcss-markdown-0.28.0.tgz
      • remark-9.0.0.tgz
        • remark-parse-5.0.0.tgz
          • trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: component/trim#8

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3


Step up your Open Source Security Game with WhiteSource here

WS-2020-0345 (High) detected in jsonpointer-4.0.1.tgz - autoclosed

WS-2020-0345 - High Severity Vulnerability

Vulnerable Library - jsonpointer-4.0.1.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz

Path to dependency file: atom/packages/dalek/package.json

Path to vulnerable library: atom/packages/dalek/node_modules/jsonpointer/package.json,atom/packages/welcome/node_modules/jsonpointer/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.20.0.tgz
        • jsonpointer-4.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.

Publish Date: 2020-07-03

URL: WS-2020-0345

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/janl/node-jsonpointer/releases/tag/v4.1.0

Release Date: 2020-07-03

Fix Resolution: jsonpointer - 4.1.0


Step up your Open Source Security Game with WhiteSource here

WS-2020-0345 (High) detected in jsonpointer-4.0.1.tgz - autoclosed

WS-2020-0345 - High Severity Vulnerability

Vulnerable Library - jsonpointer-4.0.1.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz

Path to dependency file: /packages/dalek/package.json

Path to vulnerable library: /packages/dalek/node_modules/jsonpointer/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.19.0.tgz
        • jsonpointer-4.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.

Publish Date: 2020-07-03

URL: WS-2020-0345

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/janl/node-jsonpointer/releases/tag/v4.1.0

Release Date: 2020-07-03

Fix Resolution (jsonpointer): 4.1.0

Direct dependency fix Resolution (standard): 9.0.0-beta.0


Step up your Open Source Security Game with Mend here

CVE-2020-28500 (Medium) detected in multiple libraries - autoclosed

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-4.17.15.tgz, lodash-4.17.11.tgz

lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: atom/script/vsts/package.json

Path to vulnerable library: atom/script/vsts/node_modules/lodash/package.json,atom/packages/welcome/node_modules/lodash/package.json,atom/script/node_modules/lodash/package.json

Dependency Hierarchy:

  • async-2.0.1.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)
lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/@babel/generator/node_modules/lodash/package.json,atom/node_modules/@babel/plugin-transform-block-scoping/node_modules/lodash/package.json,atom/node_modules/@babel/core/node_modules/lodash/package.json,atom/node_modules/mocha-multi-reporters/node_modules/lodash/package.json,atom/node_modules/@babel/helper-regex/node_modules/lodash/package.json,atom/node_modules/@babel/helper-module-transforms/node_modules/lodash/package.json,atom/node_modules/@babel/traverse/node_modules/lodash/package.json,atom/node_modules/@babel/helper-define-map/node_modules/lodash/package.json,atom/node_modules/@babel/types/node_modules/lodash/package.json,atom/node_modules/cheerio/node_modules/lodash/package.json,atom/packages/about/node_modules/lodash/package.json

Dependency Hierarchy:

  • standard-11.0.1.tgz (Root Library)
    • eslint-4.18.2.tgz
      • lodash-4.17.15.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/@babel/traverse/node_modules/lodash/package.json,atom/script/node_modules/table/node_modules/lodash/package.json,atom/script/node_modules/inquirer/node_modules/lodash/package.json,atom/script/node_modules/@babel/generator/node_modules/lodash/package.json,atom/script/node_modules/@babel/types/node_modules/lodash/package.json,atom/script/node_modules/eslint/node_modules/lodash/package.json,atom/script/node_modules/eslint-plugin-import/node_modules/lodash/package.json

Dependency Hierarchy:

  • babel-eslint-10.0.1.tgz (Root Library)
    • types-7.4.4.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21


Step up your Open Source Security Game with WhiteSource here

CVE-2020-15095 (Medium) detected in npm-6.2.0.tgz - autoclosed

CVE-2020-15095 - Medium Severity Vulnerability

Vulnerable Library - npm-6.2.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.2.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Publish Date: 2020-07-07

URL: CVE-2020-15095

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93f3-23rq-pjfp

Release Date: 2020-07-07

Fix Resolution (npm): 6.14.6

Direct dependency fix Resolution (atom-package-manager): 2.5.0


Step up your Open Source Security Game with Mend here

WS-2020-0180 (High) detected in npm-user-validate-1.0.0.tgz - autoclosed

WS-2020-0180 - High Severity Vulnerability

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

  • npm-6.14.6.tgz (Root Library)
    • npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution: 1.0.1


Step up your Open Source Security Game with WhiteSource here

WS-2017-3772 (High) detected in underscore.string-3.3.5.tgz - autoclosed

WS-2017-3772 - High Severity Vulnerability

Vulnerable Library - underscore.string-3.3.5.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/underscore.string/package.json

Dependency Hierarchy:

  • donna-1.0.16.tgz (Root Library)
    • underscore.string-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.


Step up your Open Source Security Game with WhiteSource here

CVE-2021-33502 (High) detected in normalize-url-2.0.1.tgz - autoclosed

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Library - normalize-url-2.0.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz

Path to dependency file: /script/vsts/package.json

Path to vulnerable library: /script/vsts/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • download-7.1.0.tgz (Root Library)
    • got-8.3.2.tgz
      • cacheable-request-2.1.4.tgz
        • normalize-url-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1


Step up your Open Source Security Game with Mend here

WS-2021-0154 (Medium) detected in glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz - autoclosed

WS-2021-0154 - Medium Severity Vulnerability

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/glob-parent/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • glob-parent-2.0.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • globby-8.0.1.tgz
      • fast-glob-2.2.2.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2


Step up your Open Source Security Game with WhiteSource here

WS-2018-0625 (High) detected in xmlbuilder-0.4.3.tgz, xmlbuilder-8.2.2.tgz - autoclosed

WS-2018-0625 - High Severity Vulnerability

Vulnerable Libraries - xmlbuilder-0.4.3.tgz, xmlbuilder-8.2.2.tgz

xmlbuilder-0.4.3.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-0.4.3.tgz

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • plist-0.4.4.tgz
      • xmlbuilder-0.4.3.tgz (Vulnerable Library)
xmlbuilder-8.2.2.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-8.2.2.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/plist/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

  • electron-packager-12.2.0.tgz (Root Library)
    • plist-2.1.0.tgz
      • xmlbuilder-8.2.2.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: oozcitak/xmlbuilder-js@bbf929a

Release Date: 2020-03-23

Fix Resolution: 9.0.5


Step up your Open Source Security Game with WhiteSource here

WS-2021-0152 (High) detected in color-string-0.2.4.tgz - autoclosed

WS-2021-0152 - High Severity Vulnerability

Vulnerable Library - color-string-0.2.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-0.2.4.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/color-string/package.json

Dependency Hierarchy:

  • color-0.7.3.tgz (Root Library)
    • color-string-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5

Release Date: 2021-03-12

Fix Resolution: color-string - 1.5.5


Step up your Open Source Security Game with WhiteSource here

CVE-2019-9023 (High) detected in oniguruma1d22eef3a734eb531fb08ced62b44a9ddb2da9a3, https://source.codeaurora.org/quic/lc/external/github.com/ellzey/libevhtp/0.3.6 - autoclosed

CVE-2019-9023 - High Severity Vulnerability

Vulnerable Libraries - oniguruma1d22eef3a734eb531fb08ced62b44a9ddb2da9a3, https://source.codeaurora.org/quic/lc/external/github.com/ellzey/libevhtp/0.3.6

Vulnerability Details

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Publish Date: 2019-02-22

URL: CVE-2019-9023

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9023

Release Date: 2019-02-22

Fix Resolution: 5.6.40,7.1.26,7.2.14,7.3.1


Step up your Open Source Security Game with WhiteSource here

WS-2018-0625 (High) detected in xmlbuilder-0.4.3.tgz, xmlbuilder-8.2.2.tgz

WS-2018-0625 - High Severity Vulnerability

Vulnerable Libraries - xmlbuilder-0.4.3.tgz, xmlbuilder-8.2.2.tgz

xmlbuilder-0.4.3.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-0.4.3.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • plist-0.4.4.tgz
      • xmlbuilder-0.4.3.tgz (Vulnerable Library)
xmlbuilder-8.2.2.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-8.2.2.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/plist/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

  • electron-packager-12.2.0.tgz (Root Library)
    • plist-2.1.0.tgz
      • xmlbuilder-8.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-08

Fix Resolution (xmlbuilder): 9.0.5

Direct dependency fix Resolution (electron-packager): 13.0.0


Step up your Open Source Security Game with Mend here

CVE-2021-33623 (High) detected in trim-newlines-1.0.0.tgz, trim-newlines-2.0.0.tgz

CVE-2021-33623 - High Severity Vulnerability

Vulnerable Libraries - trim-newlines-1.0.0.tgz, trim-newlines-2.0.0.tgz

trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/trim-newlines/package.json,/script/vsts/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • publish-release-1.6.0.tgz (Root Library)
    • pretty-bytes-1.0.4.tgz
      • meow-3.7.0.tgz
        • trim-newlines-1.0.0.tgz (Vulnerable Library)
trim-newlines-2.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-2.0.0.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/stylelint/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • meow-5.0.0.tgz
      • trim-newlines-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (stylelint): 13.0.0


Step up your Open Source Security Game with Mend here

CVE-2018-20834 (High) detected in tar-2.2.1.tgz - autoclosed

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

  • atom-package-manager-2.4.5.tgz (Root Library)
    • npm-6.2.0.tgz
      • node-gyp-3.7.0.tgz
        • tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (atom-package-manager): 2.5.0


Step up your Open Source Security Game with Mend here

CVE-2020-28469 (High) detected in glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz - autoclosed

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/glob-parent/package.json,atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • glob-parent-2.0.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • stylelint-9.3.0.tgz (Root Library)
    • globby-8.0.1.tgz
      • fast-glob-2.2.2.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2


Step up your Open Source Security Game with WhiteSource here

CVE-2017-16137 (Medium) detected in debug-3.2.6.tgz, debug-4.1.1.tgz

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Libraries - debug-3.2.6.tgz, debug-4.1.1.tgz

debug-3.2.6.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-3.2.6.tgz

Dependency Hierarchy:

  • mocha-multi-reporters-1.1.7.tgz (Root Library)
    • debug-3.2.6.tgz (Vulnerable Library)
debug-4.1.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/@atom/electron-winstaller/node_modules/debug/package.json,/script/node_modules/@babel/traverse/node_modules/debug/package.json,/package.json,/script/node_modules/eslint/node_modules/debug/package.json

Dependency Hierarchy:

  • electron-notarize-0.2.1.tgz (Root Library)
    • debug-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (mocha-multi-reporters): 1.5.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (electron-notarize): 0.3.0


Step up your Open Source Security Game with Mend here

WS-2020-0344 (High) detected in is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz - autoclosed

WS-2020-0344 - High Severity Vulnerability

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

is-my-json-valid-2.19.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz

Path to dependency file: atom/packages/welcome/package.json

Path to vulnerable library: atom/packages/welcome/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.19.0.tgz (Vulnerable Library)
is-my-json-valid-2.20.0.tgz

A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz

Path to dependency file: atom/packages/dalek/package.json

Path to vulnerable library: atom/packages/dalek/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

  • standard-8.6.0.tgz (Root Library)
    • eslint-3.10.2.tgz
      • is-my-json-valid-2.20.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-09

Fix Resolution: is-my-json-valid - 2.20.3


Step up your Open Source Security Game with WhiteSource here

CVE-2017-16113 (High) detected in parsejson-0.0.3.tgz - autoclosed

CVE-2017-16113 - High Severity Vulnerability

Vulnerable Library - parsejson-0.0.3.tgz

Method that parses a JSON string and returns a JSON object

Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz

Path to dependency file: /repo-with-submodules/You-Dont-Need-jQuery/package.json

Path to vulnerable library: atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/parsejson/package.json

Dependency Hierarchy:

  • karma-0.13.22.tgz (Root Library)
    • socket.io-1.7.4.tgz
      • socket.io-client-1.7.4.tgz
        • engine.io-client-1.8.6.tgz
          • parsejson-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Publish Date: 2018-06-07

URL: CVE-2017-16113

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.


Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.