This project forked from gotwarlost/istanbul
Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests and browser tests. Built for scale.
License: Other
Vulnerable Library - yargs-parser-2.4.1.tgzthe mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 5.0.0-security.0
Direct dependency fix Resolution (nodeunit): 0.11.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of y18n:3.2.1 results in the following vulnerability(s):
Occurrences
y18n:3.2.1 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ yargs:4.8.1
└─ y18n:3.2.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.13.1.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of brace-expansion:1.1.6 results in the following vulnerability(s):
Occurrences
brace-expansion:1.1.6 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ glob:7.0.5
└─ minimatch:3.0.2
└─ brace-expansion:1.1.6
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - js-yaml-3.6.1.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/coveralls/node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (coveralls): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.13.1.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.
Publish Date: 2019-10-20
URL: WS-2019-0318
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2019-12-01
Fix Resolution: handlebars - 4.4.5
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of js-yaml:3.6.1 results in the following vulnerability(s):
Occurrences
js-yaml:3.6.1 is a transitive dependency introduced by the following direct dependency(s):
• coveralls:2.13.3
└─ js-yaml:3.6.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - diff-1.4.0.tgzA javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution: 3.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - brace-expansion-1.1.6.tgzBrace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/brace-expansion/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
Publish Date: 2018-01-27
URL: CVE-2017-18077
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077
Release Date: 2018-01-27
Fix Resolution (brace-expansion): 1.1.7
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of glob-parent:2.0.0 results in the following vulnerability(s):
Occurrences
glob-parent:2.0.0 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ micromatch:2.3.11
└─ parse-glob:3.0.4
└─ glob-base:0.3.0
└─ glob-parent:2.0.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - lodash-4.13.1.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):
Occurrences
debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ tap-mocha-reporter:2.0.1
└─ debug:2.6.9
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of hosted-git-info:2.1.5 results in the following vulnerability(s):
Occurrences
hosted-git-info:2.1.5 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ test-exclude:1.1.0
└─ read-pkg-up:1.0.1
└─ read-pkg:1.1.0
└─ normalize-package-data:2.3.5
└─ hosted-git-info:2.1.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of hoek:2.16.3 results in the following vulnerability(s):
Occurrences
hoek:2.16.3 is a transitive dependency introduced by the following direct dependency(s):
• coveralls:2.13.3
└─ request:2.79.0
└─ hawk:3.1.3
└─ boom:2.10.1
└─ hoek:2.16.3
└─ hoek:2.16.3
└─ sntp:1.0.9
└─ hoek:2.16.3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of debug:2.2.0 results in the following vulnerability(s):
Occurrences
debug:2.2.0 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ istanbul-lib-instrument:1.1.0-alpha.4
└─ babel-traverse:6.11.4
└─ debug:2.2.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of minimist:0.0.8 results in the following vulnerability(s):
Occurrences
minimist:0.0.8 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ istanbul-reports:1.0.0-alpha.8
└─ handlebars:4.0.5
└─ optimist:0.6.1
└─ minimist:0.0.8
└─ mkdirp:0.5.1
└─ minimist:0.0.8
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of tunnel-agent:0.4.3 results in the following vulnerability(s):
Occurrences
tunnel-agent:0.4.3 is a transitive dependency introduced by the following direct dependency(s):
• coveralls:2.13.3
└─ request:2.79.0
└─ tunnel-agent:0.4.3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of braces:1.8.5 results in the following vulnerability(s):
Occurrences
braces:1.8.5 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ micromatch:2.3.11
└─ braces:1.8.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of yargs-parser:2.4.1 results in the following vulnerability(s):
Occurrences
yargs-parser:2.4.1 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ yargs:4.8.1
└─ yargs-parser:2.4.1
└─ yargs-parser:2.4.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - tunnel-agent-0.4.3.tgzHTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tunnel-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution (tunnel-agent): 0.6.0
Direct dependency fix Resolution (coveralls): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of handlebars:4.0.5 results in the following vulnerability(s):
Occurrences
handlebars:4.0.5 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ istanbul-reports:1.0.0-alpha.8
└─ handlebars:4.0.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - y18n-3.2.1.tgzthe bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerabilities
DepShield reports that this application's usage of lodash.assign:4.0.9 results in the following vulnerability(s):
Occurrences
lodash.assign:4.0.9 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ test-exclude:1.1.0
└─ lodash.assign:4.0.9
└─ yargs:4.8.1
└─ lodash.assign:4.0.9
└─ yargs-parser:2.4.1
└─ lodash.assign:4.0.9
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of minimist:1.2.0 results in the following vulnerability(s):
Occurrences
minimist:1.2.0 is a transitive dependency introduced by the following direct dependency(s):
• coveralls:2.13.3
└─ minimist:1.2.0
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ istanbul-lib-instrument:1.1.0-alpha.4
└─ babel-generator:6.11.4
└─ detect-indent:3.0.1
└─ minimist:1.2.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - ms-0.7.1.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash:4.13.1 results in the following vulnerability(s):
Occurrences
lodash:4.13.1 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ istanbul-lib-instrument:1.1.0-alpha.4
└─ babel-generator:6.11.4
└─ lodash:4.13.1
└─ babel-template:6.9.0
└─ lodash:4.13.1
└─ babel-traverse:6.11.4
└─ lodash:4.13.1
└─ babel-types:6.11.1
└─ lodash:4.13.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-11-17
URL: WS-2019-0332
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of path-parse:1.0.5 results in the following vulnerability(s):
Occurrences
path-parse:1.0.5 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ nyc:7.1.0
└─ istanbul-lib-report:1.0.0-alpha.3
└─ path-parse:1.0.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of diff:1.4.0 results in the following vulnerability(s):
Occurrences
diff:1.4.0 is a transitive dependency introduced by the following direct dependency(s):
• nodeunit:0.9.5
└─ tap:7.1.2
└─ tap-mocha-reporter:2.0.1
└─ diff:1.4.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerable Library - debug-2.2.0.tgzsmall debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - hosted-git-info-2.1.5.tgzProvides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.
Publish Date: 2019-11-18
URL: WS-2019-0333
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/coveralls/node_modules/minimist/package.json,/node_modules/nyc/node_modules/detect-indent/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (nodeunit): 0.10.0
Fix Resolution (minimist): 1.2.3
Direct dependency fix Resolution (nodeunit): 0.11.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.13.1.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2020-09-30
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cryptiles/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (coveralls): 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - brace-expansion-1.1.6.tgzBrace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/brace-expansion/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
brace-expansion before 1.1.7 are vulnerable to a regular expression denial of service.
Publish Date: 2020-07-21
URL: CVE-2017-16032
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/338
Release Date: 2020-07-21
Fix Resolution (brace-expansion): 1.1.7
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.13.1.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-13
URL: WS-2019-0331
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Publish Date: 2019-01-30
URL: WS-2019-0103
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-30
Fix Resolution (handlebars): 4.0.13
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.13.1.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-parent-2.0.0.tgzStrips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (nodeunit): 0.11.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (nodeunit): 0.10.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-14
URL: WS-2019-0493
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-11-14
Fix Resolution: handlebars - 3.0.8,4.5.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - handlebars-4.0.5.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz
Path to dependency file: istanbul/package.json
Path to vulnerable library: istanbul/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 1bc76b2a4f1c68652ba76458f4f973a52dbbfe9e
Found in base branch: master
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-19
URL: WS-2019-0492
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-11-19
Fix Resolution: handlebars - 3.0.8,4.5.3
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of cryptiles:2.0.5 results in the following vulnerability(s):
Occurrences
cryptiles:2.0.5 is a transitive dependency introduced by the following direct dependency(s):
• coveralls:2.13.3
└─ request:2.79.0
└─ hawk:3.1.3
└─ cryptiles:2.0.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
