Git Product home page Git Product logo

karma's Introduction

Karma

js-standard-style npm version npm downloads

Build Status Build Status Code Climate PRs Welcome Dependency Status devDependency Status semantic-release

A simple tool that allows you to execute JavaScript code in multiple real browsers.

The main purpose of Karma is to make your test-driven development easy, fast, and fun.

Help and Support

For questions and support please use the mailing list or Gitter. The issue tracker is for bug reports and feature discussions only.

When should I use Karma?

  • You want to test code in real browsers.
  • You want to test code in multiple browsers (desktop, mobile, tablets, etc.).
  • You want to execute your tests locally during development.
  • You want to execute your tests on a continuous integration server.
  • You want to execute your tests on every save.
  • You love your terminal.
  • You don't want your (testing) life to suck.
  • You want to use Istanbul to automagically generate coverage reports.
  • You want to use RequireJS for your source files.

But I still want to use _insert testing library_

Karma is not a testing framework, nor an assertion library. Karma just launches an HTTP server, and generates the test runner HTML file you probably already know from your favourite testing framework. So for testing purposes you can use pretty much anything you like. There are already plugins for most of the common testing frameworks:

If you can't find an adapter for your favourite framework, don't worry and write your own. It's not that hard and we are here to help.

Which Browsers can I use?

All the major browsers are supported, if you want to know more see the browsers page.

Troubleshooting

See FAQ.

I want to use it. Where do I sign?

You don't need to sign anything but here are some resources to help you to get started...

Obligatory Screencast.

Every serious project has a screencast, so here is ours. Just click here and let the show begin.

Installation.

See installation.

Using it.

See configuration.

This is so great. I want to help.

Please, see contributing.

Why did you create this?

Throughout the development of AngularJS, we've been using JSTD for testing. I really think that JSTD is a great idea. Unfortunately, we had many problems with JSTD, so we decided to write our own test runner based on the same idea. We wanted a simple tool just for executing JavaScript tests that is both stable and fast. That's why we use the awesome Socket.io library and Node.js.

My boss wants a license. So where is it?

MIT License

karma's People

Contributors

anthony-redfox avatar bitwiseman avatar budde377 avatar cironunes avatar danielcompton avatar deepak1556 avatar dependabot[bot] avatar devoto13 avatar dignifiedquire avatar greenkeeperio-bot avatar iristyle avatar johnjbarton avatar karmarunnerbot avatar lusarz avatar maksimr avatar matz3 avatar mgol avatar moumi avatar pkozlowski-opensource avatar semantic-release-bot avatar shyamseshadri avatar sylvain-hamel avatar taichi avatar thorn0 avatar timbertson avatar twolfson avatar vivganes avatar vojtajina avatar wesleycho avatar zzo avatar

Watchers

avatar

karma's Issues

CVE-2020-7751 (High) detected in pathval-1.1.0.tgz - autoclosed

CVE-2020-7751 - High Severity Vulnerability

Vulnerable Library - pathval-1.1.0.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pathval/package.json

Dependency Hierarchy:

  • chai-4.2.0.tgz (Root Library)
    • pathval-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751

Release Date: 2020-10-26

Fix Resolution (pathval): 1.1.1

Direct dependency fix Resolution (chai): 4.3.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of mocha:4.1.0

Vulnerabilities

DepShield reports that this application's usage of mocha:4.1.0 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-20676 (Medium) detected in bootstrap-3.3.2.min.js - autoclosed

CVE-2018-20676 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • bootstrap-3.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.memoize:3.0.4

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:3.0.4 results in the following vulnerability(s):

Occurrences

lodash.memoize:3.0.4 is a transitive dependency introduced by the following direct dependency(s):

browserify:16.5.2
        └─ browser-pack:6.1.0
              └─ combine-source-map:0.8.0
                    └─ lodash.memoize:3.0.4

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2012-6708 (Low) detected in jquery-1.7.1.min.js, jquery-1.8.1.min.js - autoclosed

CVE-2012-6708 - Low Severity Vulnerability

Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.8.1.min.js

jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._reinterpolate:3.0.0

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:8.3.5
        └─ @commitlint/read:8.3.4
              └─ git-raw-commits:2.0.7
                    └─ lodash.template:4.5.0
                          └─ lodash._reinterpolate:3.0.0
                          └─ lodash.templatesettings:4.2.0
                                └─ lodash._reinterpolate:3.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz, minimist-1.2.0.tgz - autoclosed

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/node_modules/minimist/package.json

Dependency Hierarchy:

  • mocha-4.1.0.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/karma-mocha/node_modules/minimist/package.json

Dependency Hierarchy:

  • karma-mocha-1.3.0.tgz (Root Library)
    • minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (mocha): 6.2.3

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (karma-mocha): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz - autoclosed

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • cli-8.3.5.tgz (Root Library)
    • meow-5.0.0.tgz
      • yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (@commitlint/cli): 9.1.2

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.restparam:3.6.1

Vulnerabilities

DepShield reports that this application's usage of lodash.restparam:3.6.1 results in the following vulnerability(s):

Occurrences

lodash.restparam:3.6.1 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ npm:6.14.10
                    └─ lodash.restparam:3.6.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2015-9251 (Low) detected in multiple libraries - autoclosed

CVE-2015-9251 - Low Severity Vulnerability

Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js, jquery-1.8.1.min.js

jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:5.1.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

watchify:3.11.1
        └─ anymatch:2.0.0
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/y18n/package.json,/node_modules/semantic-release/node_modules/y18n/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • yargs-15.4.1.tgz
      • y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (semantic-release): 16.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-26226 (High) detected in semantic-release-15.14.0.tgz - autoclosed

CVE-2020-26226 - High Severity Vulnerability

Vulnerable Library - semantic-release-15.14.0.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-15.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.

Publish Date: 2020-11-18

URL: CVE-2020-26226

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r2j6-p67h-q639

Release Date: 2020-11-18

Fix Resolution: 17.2.3

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.get:4.4.2

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/github:5.5.8
              └─ @octokit/rest:16.43.1
                    └─ lodash.get:4.4.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-14040 (Medium) detected in bootstrap-3.3.2.min.js - autoclosed

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • bootstrap-3.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-7788 (High) detected in ini-1.3.5.tgz - autoclosed

CVE-2020-7788 - High Severity Vulnerability

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/ini/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • npm-5.3.5.tgz
      • npm-6.14.10.tgz
        • ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (semantic-release): 16.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz - autoclosed

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Library - dot-prop-3.0.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dot-prop/package.json

Dependency Hierarchy:

  • config-conventional-8.3.4.tgz (Root Library)
    • conventional-changelog-conventionalcommits-4.2.1.tgz
      • compare-func-1.3.2.tgz
        • dot-prop-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (@commitlint/config-conventional): 10.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.clonedeep:4.5.0

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ npm:6.14.10
                    └─ libnpm:3.0.1
                          └─ libnpmpublish:1.1.2
                                └─ lodash.clonedeep:4.5.0
                    └─ lodash.clonedeep:4.5.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.uniqby:4.7.0

Vulnerabilities

DepShield reports that this application's usage of lodash.uniqby:4.7.0 results in the following vulnerability(s):

Occurrences

lodash.uniqby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/github:5.5.8
              └─ issue-parser:5.0.0
                    └─ lodash.uniqby:4.7.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2019-11358 (Medium) detected in jquery-2.1.3.min.js, jquery-3.2.1.min.js - autoclosed

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-2.1.3.min.js, jquery-3.2.1.min.js

jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-3.2.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js

Path to dependency file: /node_modules/superagent/docs/tail.html

Path to vulnerable library: /node_modules/superagent/docs/tail.html

Dependency Hierarchy:

  • jquery-3.2.1.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of ini:1.3.5

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.5 results in the following vulnerability(s):

Occurrences

ini:1.3.5 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ npm:6.14.10
                    └─ config-chain:1.1.12
                          └─ ini:1.3.5
                    └─ ini:1.3.5
                    └─ libcipm:4.0.8
                          └─ ini:1.3.5
                    └─ libnpm:3.0.1
                          └─ libnpmconfig:1.2.1
                                └─ ini:1.3.5
                    └─ update-notifier:2.5.0
                          └─ is-installed-globally:0.1.0
                                └─ global-dirs:0.1.1
                                      └─ ini:1.3.5
                          └─ latest-version:3.1.0
                                └─ package-json:4.0.1
                                      └─ registry-auth-token:3.4.0
                                            └─ rc:1.2.8
                                                  └─ ini:1.3.5

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of ini:1.3.8

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:8.3.5
        └─ resolve-global:1.0.0
              └─ global-dirs:0.1.1
                    └─ ini:1.3.8

grunt-cli:1.3.2
        └─ liftoff:2.5.0
              └─ findup-sync:2.0.0
                    └─ resolve-dir:1.0.1
                          └─ global-modules:1.0.0
                                └─ global-prefix:1.0.2
                                      └─ ini:1.3.8

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ rc:1.2.8
                    └─ ini:1.3.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of glob-parent:3.1.0

Vulnerabilities

DepShield reports that this application's usage of glob-parent:3.1.0 results in the following vulnerability(s):

Occurrences

glob-parent:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

watchify:3.11.1
        └─ chokidar:2.1.8
              └─ glob-parent:3.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-28282 (High) detected in getobject-0.1.0.tgz - autoclosed

CVE-2020-28282 - High Severity Vulnerability

Vulnerable Library - getobject-0.1.0.tgz

get.and.set.deep.objects.easily = true

Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/getobject/package.json

Dependency Hierarchy:

  • grunt-1.2.1.tgz (Root Library)
    • grunt-legacy-util-1.1.1.tgz
      • getobject-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e5d019a24ef628acd7bc79c62bc8c6f3df11e67e

Found in base branch: browser-stack

Vulnerability Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-12-29

URL: CVE-2020-28282

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/getobject

Release Date: 2020-12-29

Fix Resolution (getobject): 1.0.0

Direct dependency fix Resolution (grunt): 1.3.0

Step up your Open Source Security Game with Mend here

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz - autoclosed

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/ssri/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • npm-5.3.5.tgz
      • npm-6.14.10.tgz
        • ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e5d019a24ef628acd7bc79c62bc8c6f3df11e67e

Found in base branch: browser-stack

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (semantic-release): 16.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-7656 (Medium) detected in jquery-1.7.1.min.js, jquery-1.8.1.min.js - autoclosed

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.7.1.min.js, jquery-1.8.1.min.js

jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with Mend here

CVE-2020-28498 (Medium) detected in elliptic-6.5.3.tgz - autoclosed

CVE-2020-28498 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

  • browserify-16.5.2.tgz (Root Library)
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.0.4.tgz
        • elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution (elliptic): 6.5.4

Direct dependency fix Resolution (browserify): 17.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of ssri:6.0.1

Vulnerabilities

DepShield reports that this application's usage of ssri:6.0.1 results in the following vulnerability(s):

Occurrences

ssri:6.0.1 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ npm:6.14.10
                    └─ cacache:12.0.3
                          └─ ssri:6.0.1
                    └─ libnpm:3.0.1
                          └─ libnpmpublish:1.1.2
                                └─ ssri:6.0.1
                    └─ npm-registry-fetch:4.0.7
                          └─ make-fetch-happen:5.0.2
                                └─ ssri:6.0.1
                    └─ pacote:9.5.12
                          └─ ssri:6.0.1
                    └─ ssri:6.0.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-11023 (Medium) detected in multiple libraries - autoclosed

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js, jquery-3.2.1.min.js, jquery-1.8.1.min.js

jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-3.2.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js

Path to dependency file: /node_modules/superagent/docs/tail.html

Path to vulnerable library: /node_modules/superagent/docs/tail.html

Dependency Hierarchy:

  • jquery-3.2.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.3) Vulnerability due to usage of ws:6.2.1

Vulnerabilities

DepShield reports that this application's usage of ws:6.2.1 results in the following vulnerability(s):

Occurrences

ws:6.2.1 is a transitive dependency introduced by the following direct dependency(s):

puppeteer:1.20.0
        └─ ws:6.2.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-27292 (High) detected in ua-parser-js-0.7.24.tgz - autoclosed

CVE-2021-27292 - High Severity Vulnerability

Vulnerable Library - ua-parser-js-0.7.24.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.24.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • ua-parser-js-0.7.24.tgz (Vulnerable Library)

Found in HEAD commit: e5d019a24ef628acd7bc79c62bc8c6f3df11e67e

Found in base branch: browser-stack

Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution: 0.7.25

Step up your Open Source Security Game with Mend here

CVE-2021-23362 (Medium) detected in multiple libraries - autoclosed

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Libraries - hosted-git-info-2.8.8.tgz, hosted-git-info-2.7.1.tgz, hosted-git-info-3.0.4.tgz

hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • npm-5.3.5.tgz
      • npm-6.14.10.tgz
        • hosted-git-info-2.8.8.tgz (Vulnerable Library)
hosted-git-info-2.7.1.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • cli-8.3.5.tgz (Root Library)
    • meow-5.0.0.tgz
      • normalize-package-data-2.5.0.tgz
        • hosted-git-info-2.7.1.tgz (Vulnerable Library)
hosted-git-info-3.0.4.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • hosted-git-info-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: e5d019a24ef628acd7bc79c62bc8c6f3df11e67e

Found in base branch: browser-stack

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (semantic-release): 16.0.0

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (@commitlint/cli): 8.3.6

Fix Resolution (hosted-git-info): 3.0.8

Direct dependency fix Resolution (semantic-release): 16.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of diff:3.3.1

Vulnerabilities

DepShield reports that this application's usage of diff:3.3.1 results in the following vulnerability(s):

Occurrences

diff:3.3.1 is a transitive dependency introduced by the following direct dependency(s):

mocha:4.1.0
        └─ diff:3.3.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

WS-2020-0163 (Medium) detected in marked-0.7.0.tgz - autoclosed

WS-2020-0163 - Medium Severity Vulnerability

Vulnerable Library - marked-0.7.0.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

  • semantic-release-15.14.0.tgz (Root Library)
    • marked-0.7.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (marked): 1.1.1

Direct dependency fix Resolution (semantic-release): 17.0.7

Step up your Open Source Security Game with Mend here

CVE-2021-23337 (High) detected in lodash-4.17.19.tgz, lodash-4.17.15.tgz - autoclosed

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.19.tgz, lodash-4.17.15.tgz

lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-7.6.0.tgz (Root Library)
    • lodash-4.17.19.tgz (Vulnerable Library)
lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@commitlint/load/node_modules/lodash/package.json,/node_modules/@commitlint/resolve-extends/node_modules/lodash/package.json,/node_modules/@commitlint/lint/node_modules/lodash/package.json,/node_modules/@commitlint/cli/node_modules/lodash/package.json,/node_modules/@commitlint/ensure/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-8.3.5.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (eslint): 7.7.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@commitlint/cli): 8.3.6

Step up your Open Source Security Game with Mend here

WS-2019-0425 (Medium) detected in mocha-4.1.0.tgz - autoclosed

WS-2019-0425 - Medium Severity Vulnerability

Vulnerable Library - mocha-4.1.0.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/package.json

Dependency Hierarchy:

  • mocha-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.

Publish Date: 2019-01-24

URL: WS-2019-0425

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-24

Fix Resolution: 6.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._baseindexof:3.1.0

Vulnerabilities

DepShield reports that this application's usage of lodash._baseindexof:3.1.0 results in the following vulnerability(s):

Occurrences

lodash._baseindexof:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ npm:6.14.10
                    └─ lodash._baseindexof:3.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._cacheindexof:3.0.2

Vulnerabilities

DepShield reports that this application's usage of lodash._cacheindexof:3.0.2 results in the following vulnerability(s):

Occurrences

lodash._cacheindexof:3.0.2 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ @semantic-release/npm:5.3.5
              └─ npm:6.14.10
                    └─ lodash._cacheindexof:3.0.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 3.7) Vulnerability due to usage of elliptic:6.5.3

Vulnerabilities

DepShield reports that this application's usage of elliptic:6.5.3 results in the following vulnerability(s):

Occurrences

elliptic:6.5.3 is a transitive dependency introduced by the following direct dependency(s):

browserify:16.5.2
        └─ crypto-browserify:3.12.0
              └─ browserify-sign:4.0.4
                    └─ elliptic:6.5.3
              └─ create-ecdh:4.0.3
                    └─ elliptic:6.5.3

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-14042 (Medium) detected in bootstrap-3.3.2.min.js - autoclosed

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • bootstrap-3.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.3) Vulnerability due to usage of ws:7.4.1

Vulnerabilities

DepShield reports that this application's usage of ws:7.4.1 results in the following vulnerability(s):

Occurrences

ws:7.4.1 is a transitive dependency introduced by the following direct dependency(s):

socket.io:3.0.4
        └─ engine.io:4.0.5
              └─ ws:7.4.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2016-10735 (Medium) detected in bootstrap-3.3.2.min.js - autoclosed

CVE-2016-10735 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • bootstrap-3.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Step up your Open Source Security Game with Mend here

CVE-2020-11022 (Medium) detected in multiple libraries - autoclosed

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-2.1.3.min.js, jquery-1.7.1.min.js, jquery-3.2.1.min.js, jquery-1.8.1.min.js

jquery-2.1.3.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • jquery-2.1.3.min.js (Vulnerable Library)
jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)
jquery-3.2.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js

Path to dependency file: /node_modules/superagent/docs/tail.html

Path to vulnerable library: /node_modules/superagent/docs/tail.html

Dependency Hierarchy:

  • jquery-3.2.1.min.js (Vulnerable Library)
jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2019-8331 (Medium) detected in bootstrap-3.3.2.min.js - autoclosed

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • bootstrap-3.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of marked:0.7.0

Vulnerabilities

DepShield reports that this application's usage of marked:0.7.0 results in the following vulnerability(s):

Occurrences

marked:0.7.0 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:15.14.0
        └─ marked:0.7.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7729 (High) detected in grunt-1.2.1.tgz - autoclosed

CVE-2020-7729 - High Severity Vulnerability

Vulnerable Library - grunt-1.2.1.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-1.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grunt/package.json

Dependency Hierarchy:

  • grunt-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: e5d019a24ef628acd7bc79c62bc8c6f3df11e67e

Found in base branch: browser-stack

Vulnerability Details

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Publish Date: 2020-09-03

URL: CVE-2020-7729

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1684

Release Date: 2020-10-27

Fix Resolution: 1.3.0

Step up your Open Source Security Game with Mend here

CVE-2018-20677 (Medium) detected in bootstrap-3.3.2.min.js - autoclosed

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.3.2.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js

Path to dependency file: /node_modules/knuth-shuffle-seeded/index.html

Path to vulnerable library: /node_modules/knuth-shuffle-seeded/index.html

Dependency Hierarchy:

  • bootstrap-3.3.2.min.js (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28500 (Medium) detected in lodash-4.17.19.tgz, lodash-4.17.15.tgz - autoclosed

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-4.17.19.tgz, lodash-4.17.15.tgz

lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eslint/node_modules/lodash/package.json

Dependency Hierarchy:

  • eslint-7.6.0.tgz (Root Library)
    • lodash-4.17.19.tgz (Vulnerable Library)
lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@commitlint/load/node_modules/lodash/package.json,/node_modules/@commitlint/resolve-extends/node_modules/lodash/package.json,/node_modules/@commitlint/lint/node_modules/lodash/package.json,/node_modules/@commitlint/cli/node_modules/lodash/package.json,/node_modules/@commitlint/ensure/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-8.3.5.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (eslint): 7.7.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@commitlint/cli): 8.3.6

Step up your Open Source Security Game with Mend here

CVE-2020-8203 (High) detected in lodash-4.17.15.tgz - autoclosed

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@commitlint/load/node_modules/lodash/package.json,/node_modules/@commitlint/resolve-extends/node_modules/lodash/package.json,/node_modules/@commitlint/lint/node_modules/lodash/package.json,/node_modules/@commitlint/cli/node_modules/lodash/package.json,/node_modules/@commitlint/ensure/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-8.3.5.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (@commitlint/cli): 8.3.6

Step up your Open Source Security Game with Mend here

WS-2018-0590 (High) detected in diff-3.3.1.tgz - autoclosed

WS-2018-0590 - High Severity Vulnerability

Vulnerable Library - diff-3.3.1.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mocha/node_modules/diff/package.json

Dependency Hierarchy:

  • mocha-4.1.0.tgz (Root Library)
    • diff-3.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 7c03032a10da3be9eafae1355bcf84abf75d4fa6

Found in base branch: browser-stack

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.