turkdevops / chalk Goto Github PK
View Code? Open in Web Editor NEWThis project forked from chalk/chalk
🖍 Terminal string styling done right
License: MIT License
This project forked from chalk/chalk
🖍 Terminal string styling done right
License: MIT License
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect')
event, for all WebContents as a workaround.
Publish Date: 2022-11-08
URL: CVE-2022-36077
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p2jh-44qj-pf2v
Release Date: 2022-11-08
Fix Resolution: electron - 18.3.7,19.0.11,20.0.1
Step up your Open Source Security Game with Mend here
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
Publish Date: 2018-01-24
URL: CVE-2018-1000006
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006
Release Date: 2018-01-24
Fix Resolution: 1.8.2-beta.5
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):
Occurrences
kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):
• xo:0.39.1
└─ globby:9.2.0
└─ fast-glob:2.2.7
└─ micromatch:3.1.10
└─ snapdragon:0.8.2
└─ base:0.11.2
└─ cache-base:1.0.1
└─ has-value:1.0.0
└─ has-values:1.0.0
└─ is-number:3.0.0
└─ kind-of:3.2.2
└─ to-object-path:0.3.0
└─ kind-of:3.2.2
└─ class-utils:0.3.6
└─ static-extend:0.1.2
└─ object-copy:0.1.0
└─ kind-of:3.2.2
└─ define-property:0.2.5
└─ is-descriptor:0.1.6
└─ is-accessor-descriptor:0.1.6
└─ kind-of:3.2.2
└─ is-data-descriptor:0.1.4
└─ kind-of:3.2.2
└─ braces:2.3.2
└─ snapdragon-node:2.1.1
└─ snapdragon-util:3.0.1
└─ kind-of:3.2.2
└─ fill-range:4.0.0
└─ is-number:3.0.0
└─ kind-of:3.2.2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):
Occurrences
kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):
• xo:0.39.1
└─ globby:9.2.0
└─ fast-glob:2.2.7
└─ micromatch:3.1.10
└─ snapdragon:0.8.2
└─ define-property:0.2.5
└─ is-descriptor:0.1.6
└─ kind-of:5.1.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.
Publish Date: 2018-06-07
URL: CVE-2017-16151
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/539
Release Date: 2018-04-26
Fix Resolution: 1.7.8
Step up your Open Source Security Game with Mend here
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution (http-cache-semantics): 4.1.1
Direct dependency fix Resolution (ava): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):
Occurrences
ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):
• ava:3.15.0
└─ update-notifier:5.1.0
└─ latest-version:5.1.0
└─ package-json:6.5.0
└─ registry-auth-token:4.2.1
└─ rc:1.2.8
└─ ini:1.3.8
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of lodash.flattendeep:4.4.0 results in the following vulnerability(s):
Occurrences
lodash.flattendeep:4.4.0 is a transitive dependency introduced by the following direct dependency(s):
• nyc:15.1.0
└─ caching-transform:4.0.0
└─ package-hash:4.0.0
└─ lodash.flattendeep:4.4.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Found in base branch: main
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (ava): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):
Occurrences
debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):
• xo:0.39.1
└─ eslint-plugin-import:2.23.4
└─ eslint-import-resolver-node:0.3.4
└─ debug:2.6.9
└─ debug:2.6.9
└─ globby:9.2.0
└─ fast-glob:2.2.7
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ snapdragon:0.8.2
└─ debug:2.6.9
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault()
on all new-window events where the url
or options
is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4075
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f9mq-jph6-9mhm
Release Date: 2020-07-13
Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of ini:1.3.7 results in the following vulnerability(s):
Occurrences
ini:1.3.7 is a transitive dependency introduced by the following direct dependency(s):
• tsd:0.14.0
└─ update-notifier:4.1.3
└─ is-installed-globally:0.3.2
└─ global-dirs:2.1.0
└─ ini:1.3.7
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4076
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m93v-9qjc-3g79
Release Date: 2020-07-13
Fix Resolution: electron - 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with Mend here
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation
and contextBridge
are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4077
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h9jc-284h-533g
Release Date: 2020-07-13
Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):
Occurrences
kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):
• xo:0.39.1
└─ globby:9.2.0
└─ fast-glob:2.2.7
└─ micromatch:3.1.10
└─ snapdragon:0.8.2
└─ base:0.11.2
└─ cache-base:1.0.1
└─ has-value:1.0.0
└─ has-values:1.0.0
└─ kind-of:4.0.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A simple command-line interface framework for node.js.
Library home page: https://registry.npmjs.org/electron/-/electron-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
Publish Date: 2020-07-07
URL: CVE-2020-15096
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6vrv-94jv-crrg
Release Date: 2020-07-10
Fix Resolution: electron - 6.1.11,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with Mend here
JavaScript parser and stringifier for YAML
Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.
Publish Date: 2023-04-24
URL: CVE-2023-2251
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f9xv-q969-pqx4
Release Date: 2023-04-24
Fix Resolution (yaml): 2.0.0-0
Direct dependency fix Resolution (xo): 0.54.0
Step up your Open Source Security Game with Mend here
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: chalk/package.json
Path to vulnerable library: chalk/node_modules/xo/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of electron:0.4.1 results in the following vulnerability(s):
Occurrences
electron:0.4.1 is a transitive dependency introduced by the following direct dependency(s):
• matcha:0.7.0
└─ electron:0.4.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tsconfig-paths/node_modules/json5/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (xo): 0.43.0
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (xo): 0.43.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):
Occurrences
lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):
• xo:0.39.1
└─ eslint:7.30.0
└─ table:6.7.1
└─ lodash.clonedeep:4.5.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of bl:4.1.0 results in the following vulnerability(s):
Occurrences
bl:4.1.0 is a transitive dependency introduced by the following direct dependency(s):
• ava:3.15.0
└─ ora:5.4.1
└─ bl:4.1.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: chalk/package.json
Path to vulnerable library: chalk/node_modules/xo/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 3103722a2c09e9dcab37b1369a88b2bdf496cbdd
Found in base branch: main
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.