Git Product home page Git Product logo

irc-framework's Introduction

irc-framework

Codacy Badge

A better IRC framework for node.js. For bots and full clients. Read the documentation

SL Scan Codacy Badge

Aims

  • Lightweight
  • Performant
  • Very easy to get going out of the box
  • Grows as needed for larger applications
  • IRCv3 compliant
  • Multiple (+ auto detected) encoding support
  • Complete test suite

A simple and low-boilerplate framework to build IRC bots.

var bot = new IRC.Client();
bot.connect({
	host: 'irc.freenode.net',
	port: 6667,
	nick: 'prawnsbot'
});

bot.on('message', function(event) {
  	if (event.message.indexOf('hello') === 0) {
  		  event.reply('Hi!');
  	}
  	
  	if (event.message.match(/^!join /)) {
  	    var to_join = event.message.split(' ');
  		event.reply('Joining ' + to_join + '..');
  		bot.join(to_join);
  	}
});


// Or a quicker to match messages...
bot.matchMessage(/^hi/, function(event) {
	event.reply('hello there!');
});

Channel/buffer objects. Great for building clients

var bot = new IRC.Client();
bot.connect({
	host: 'irc.freenode.net',
	port: 6667,
	nick: 'prawnsbot'
});

var buffers = [];
bot.on('registered', function() {
	var channel = bot.channel('#prawnsalad');
	buffers.push(channel);
	
	channel.join();
	channel.say('Hi!');
	
	channel.updateUsers(function() {
		console.log(channel.users);
	});

	// Or you could even stream the channel messages elsewhere
	var stream = channel.stream();
	stream.pipe(process.stdout);
});

Middleware

function ExampleMiddleware() {
	return function(client, raw_events, parsed_events) {
		parsed_events.use(theMiddleware);
	}


	function theMiddleware(command, event, client, next) {
		if (command === 'registered') {
			if (client.options.nickserv) {
				var options = client.options.nickserv;
				client.say('nickserv', 'identify ' + options.account + ' ' + options.password);
			}
		}

		if (command === 'message' && event.event.nick.toLowerCase() === 'nickserv') {
			// Handle success/retries/failures
		}

		next();
	}
}


var irc_bot = new IRC.Client();
irc_bot.use(ExampleMiddleware());

irc-framework's People

Contributors

790 avatar astorije avatar corychaplin avatar ctria avatar danieloaks avatar ddevault avatar dependabot-preview[bot] avatar dependabot[bot] avatar frotty avatar graulund avatar halkeye avatar itsonlybinary avatar jay2k1 avatar kamikazechaser avatar karnauskas avatar kode54 avatar louist avatar m2ys4u avatar maxleiter avatar maxpoulin64 avatar piotrluczko avatar polarizedions avatar prawnsalad avatar snyk-bot avatar srmcgann avatar strategy47 avatar vith avatar xinayder avatar xpaw avatar zarthus avatar

Stargazers

avatar

Watchers

avatar

irc-framework's Issues

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.clonedeep:4.5.0

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

eslint:7.31.0
        └─ table:6.7.1
              └─ lodash.clonedeep:4.5.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.6.9

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

eslint-plugin-import:2.22.1
        └─ debug:2.6.9
        └─ eslint-import-resolver-node:0.3.4
              └─ debug:2.6.9
        └─ eslint-module-utils:2.6.0
              └─ debug:2.6.9

webpack:4.44.2
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ debug:2.6.9
              └─ snapdragon:0.8.2
                    └─ debug:2.6.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz - autoclosed

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/mocha/node_modules/minimist/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2022-25858 (High) detected in terser-5.7.1.tgz

CVE-2022-25858 - High Severity Vulnerability

Vulnerable Library - terser-5.7.1.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser

Dependency Hierarchy:

  • webpack-5.50.0.tgz (Root Library)
    • terser-webpack-plugin-5.1.4.tgz
      • terser-5.7.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 5.14.2

Direct dependency fix Resolution (webpack): 5.51.0

Step up your Open Source Security Game with Mend here

CVE-2022-0355 (High) detected in simple-get-3.1.0.tgz

CVE-2022-0355 - High Severity Vulnerability

Vulnerable Library - simple-get-3.1.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get

Dependency Hierarchy:

  • iltorb-2.4.5.tgz (Root Library)
    • prebuild-install-5.3.5.tgz
      • simple-get-3.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution: simple-get - 4.0.1

Step up your Open Source Security Game with Mend here

DepShield encountered errors while building your project

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.

* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum

CVE-2021-27290 (High) detected in ssri-8.0.0.tgz - autoclosed

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-8.0.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-8.0.0.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/ssri

Dependency Hierarchy:

  • compression-webpack-plugin-4.0.0.tgz (Root Library)
    • cacache-15.0.5.tgz
      • ssri-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 664b7406f18cc6b0fcd37b1f6f1d6f738c240a0b

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: ssri - 6.0.2,8.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16042 (High) detected in growl-1.9.2.tgz - autoclosed

CVE-2017-16042 - High Severity Vulnerability

Vulnerable Library - growl-1.9.2.tgz

Growl unobtrusive notifications

Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/growl/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • growl-1.9.2.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

Publish Date: 2018-06-04

URL: CVE-2017-16042

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042

Release Date: 2018-06-04

Fix Resolution: 1.10.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz - autoclosed

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/hosted-git-info

Dependency Hierarchy:

  • eslint-plugin-import-2.22.0.tgz (Root Library)
    • read-pkg-up-2.0.0.tgz
      • read-pkg-2.0.0.tgz
        • normalize-package-data-2.5.0.tgz
          • hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 1f1e97ab2958481fdb9edab532fe5bfbdbdc2b72

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of ini:1.3.8

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

iltorb:2.4.5
        └─ prebuild-install:5.3.6
              └─ rc:1.2.8
                    └─ ini:1.3.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2023-45133 (High) detected in traverse-7.15.0.tgz

CVE-2023-45133 - High Severity Vulnerability

Vulnerable Library - traverse-7.15.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.15.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/traverse

Dependency Hierarchy:

  • preset-env-7.15.0.tgz (Root Library)
    • plugin-transform-modules-commonjs-7.15.0.tgz
      • helper-module-transforms-7.15.0.tgz
        • traverse-7.15.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (@babel/preset-env): 7.15.4

Step up your Open Source Security Game with Mend here

CVE-2020-8927 (Medium) detected in src73.0.3677.0

CVE-2020-8927 - Medium Severity Vulnerability

Vulnerable Library - src73.0.3677.0

Library home page: https://chromium.googlesource.com/chromium/src

Found in HEAD commit: e3c952f70fb7852525e79878255a25edf0c2b725

Found in base branch: master

Vulnerable Source Files (1)

/node_modules/iltorb/brotli/c/dec/prefix.h

Vulnerability Details

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

Publish Date: 2020-09-15

URL: CVE-2020-8927

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-15

Fix Resolution: 1.0.8

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.get:4.4.2

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

sinon:9.2.2
        └─ @sinonjs/samsam:5.3.0
              └─ lodash.get:4.4.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-0144 (High) detected in shelljs-0.8.4.tgz

CVE-2022-0144 - High Severity Vulnerability

Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shelljs

Dependency Hierarchy:

  • shx-0.3.3.tgz (Root Library)
    • shelljs-0.8.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (shx): 0.3.4

Step up your Open Source Security Game with Mend here

CVE-2023-43646 (High) detected in get-func-name-2.0.0.tgz

CVE-2023-43646 - High Severity Vulnerability

Vulnerable Library - get-func-name-2.0.0.tgz

Utility for getting a function's name for node and the browser

Library home page: https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/get-func-name

Dependency Hierarchy:

  • chai-4.3.4.tgz (Root Library)
    • get-func-name-2.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit f934b228b which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-09-27

URL: CVE-2023-43646

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4q6p-r6v2-jvc5

Release Date: 2023-09-27

Fix Resolution: get-func-name - 2.0.1,3.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz - autoclosed

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/lodash

Dependency Hierarchy:

  • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 664b7406f18cc6b0fcd37b1f6f1d6f738c240a0b

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 4.3) Vulnerability due to usage of bl:4.1.0

Vulnerabilities

DepShield reports that this application's usage of bl:4.1.0 results in the following vulnerability(s):

Occurrences

bl:4.1.0 is a transitive dependency introduced by the following direct dependency(s):

iltorb:2.4.5
        └─ prebuild-install:5.3.6
              └─ tar-fs:2.1.1
                    └─ tar-stream:2.2.0
                          └─ bl:4.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch

Dependency Hierarchy:

  • eslint-plugin-node-11.1.0.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.debounce:4.0.8

Vulnerabilities

DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):

Occurrences

lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency(s):

@babel/preset-env:7.14.7
        └─ babel-plugin-polyfill-corejs2:0.2.2
              └─ @babel/helper-define-polyfill-provider:0.2.3
                    └─ lodash.debounce:4.0.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.flattendeep:4.4.0

Vulnerabilities

DepShield reports that this application's usage of lodash.flattendeep:4.4.0 results in the following vulnerability(s):

Occurrences

lodash.flattendeep:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

nyc:15.1.0
        └─ caching-transform:4.0.0
              └─ package-hash:4.0.0
                    └─ lodash.flattendeep:4.4.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

WS-2017-0247 (Low) detected in ms-0.7.1.tgz - autoclosed

WS-2017-0247 - Low Severity Vulnerability

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/ms/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • debug-2.2.0.tgz
      • ms-0.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-46175 (High) detected in json5-2.1.3.tgz, json5-1.0.1.tgz

CVE-2022-46175 - High Severity Vulnerability

Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz

json5-2.1.3.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5

Dependency Hierarchy:

  • core-7.14.6.tgz (Root Library)
    • json5-2.1.3.tgz (Vulnerable Library)
json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5

Dependency Hierarchy:

  • eslint-plugin-import-2.23.4.tgz (Root Library)
    • tsconfig-paths-3.9.0.tgz
      • json5-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e3c952f70fb7852525e79878255a25edf0c2b725

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@babel/core): 7.14.8

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (eslint-plugin-import): 2.24.0

Step up your Open Source Security Game with Mend here

WS-2018-0590 (High) detected in diff-1.4.0.tgz - autoclosed

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/diff/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2019-06-11

Fix Resolution: 3.5.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:3.2.2

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

@babel/cli:7.12.10
        └─ @nicolo-ribaudo/chokidar-2:2.1.8-no-fsevents
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2

webpack:4.44.2
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ to-object-path:0.3.0
                                      └─ kind-of:3.2.2
                          └─ class-utils:0.3.6
                                └─ static-extend:0.1.2
                                      └─ object-copy:0.1.0
                                            └─ kind-of:3.2.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ is-accessor-descriptor:0.1.6
                                      └─ kind-of:3.2.2
                                └─ is-data-descriptor:0.1.4
                                      └─ kind-of:3.2.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

WS-2021-0638 (High) detected in mocha-8.1.1.tgz

WS-2021-0638 - High Severity Vulnerability

Vulnerable Library - mocha-8.1.1.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-8.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha

Dependency Hierarchy:

  • mocha-8.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.

Publish Date: 2021-09-18

URL: WS-2021-0638

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-18

Fix Resolution: 10.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-7751 (High) detected in pathval-1.1.0.tgz - autoclosed

CVE-2020-7751 - High Severity Vulnerability

Vulnerable Library - pathval-1.1.0.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/pathval

Dependency Hierarchy:

  • chai-4.2.0.tgz (Root Library)
    • pathval-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e3c952f70fb7852525e79878255a25edf0c2b725

Found in base branch: master

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz - autoclosed

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/lodash

Dependency Hierarchy:

  • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 664b7406f18cc6b0fcd37b1f6f1d6f738c240a0b

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: irc-framework/node_modules/y18n/package.json

Path to vulnerable library: irc-framework/node_modules/y18n/package.json

Dependency Hierarchy:

  • nyc-15.1.0.tgz (Root Library)
    • yargs-15.4.1.tgz
      • y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 07c9edab6e6c3315717eacb1f0a0db71853c6665

Found in base branch: master

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

Step up your Open Source Security Game with WhiteSource here

WS-2019-0425 (Medium) detected in mocha-2.5.3.tgz - autoclosed

WS-2019-0425 - Medium Severity Vulnerability

Vulnerable Library - mocha-2.5.3.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/mocha/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.

Publish Date: 2019-01-24

URL: WS-2019-0425

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: v6.0.0

Release Date: 2020-05-07

Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364 (Medium) detected in browserslist-4.16.3.tgz - autoclosed

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/browserslist

Dependency Hierarchy:

  • core-7.13.15.tgz (Root Library)
    • helper-compilation-targets-7.13.13.tgz
      • browserslist-4.16.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10540 (High) detected in minimatch-0.3.0.tgz - autoclosed

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Library - minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/mocha/node_modules/minimatch/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • glob-3.2.11.tgz
      • minimatch-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-43138 (High) detected in async-2.6.3.tgz

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async

Dependency Hierarchy:

  • brotli-webpack-plugin-1.1.0.tgz (Root Library)
    • async-2.6.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Step up your Open Source Security Game with Mend here

CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz - autoclosed

CVE-2021-23343 - High Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/path-parse

Dependency Hierarchy:

  • eslint-plugin-node-11.1.0.tgz (Root Library)
    • resolve-1.20.0.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 50e72f1021a894c4b48cf82832bfa7088c3875f1

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:4.0.0 - autoclosed

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

webpack:4.44.2
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ has-value:1.0.0
                                      └─ has-values:1.0.0
                                            └─ kind-of:4.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent

Dependency Hierarchy:

  • eslint-7.31.0.tgz (Root Library)
    • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2020-36632 (Critical) detected in flat-4.1.0.tgz

CVE-2020-36632 - Critical Severity Vulnerability

Vulnerable Library - flat-4.1.0.tgz

Take a nested Javascript object and flatten it, or unflatten an object with delimited keys

Library home page: https://registry.npmjs.org/flat/-/flat-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/flat

Dependency Hierarchy:

  • mocha-8.1.1.tgz (Root Library)
    • yargs-unparser-1.6.1.tgz
      • flat-4.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.

Publish Date: 2022-12-25

URL: CVE-2020-36632

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2j2x-2gpw-g8fm

Release Date: 2022-12-25

Fix Resolution (flat): 4.1.1

Direct dependency fix Resolution (mocha): 8.1.2

Step up your Open Source Security Game with Mend here

CVE-2017-16137 (Medium) detected in debug-2.2.0.tgz - autoclosed

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: irc-framework/package.json

Path to vulnerable library: irc-framework/node_modules/debug/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7641f9625d3efbd20e07a21ce5658920382e2873

Found in base branch: cap_32

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution: 2.6.9

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:5.1.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

webpack:4.44.2
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ kind-of:5.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2023-28154 (Critical) detected in webpack-5.50.0.tgz

CVE-2023-28154 - Critical Severity Vulnerability

Vulnerable Library - webpack-5.50.0.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.50.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack

Dependency Hierarchy:

  • webpack-5.50.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Publish Date: 2023-03-13

URL: CVE-2023-28154

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-03-13

Fix Resolution: 5.76.0

Step up your Open Source Security Game with Mend here

CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz - autoclosed

CVE-2020-28275 - High Severity Vulnerability

Vulnerable Library - cache-base-1.0.1.tgz

Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.

Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz

Path to dependency file: irc-framework/node_modules/cache-base/package.json

Path to vulnerable library: irc-framework/node_modules/cache-base/package.json

Dependency Hierarchy:

  • webpack-cli-3.3.12.tgz (Root Library)
    • findup-sync-3.0.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e3c952f70fb7852525e79878255a25edf0c2b725

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-11-07

URL: CVE-2020-28275

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.