Git Product home page Git Product logo

karma-jasmine's Introduction

karma-jasmine

npm version npm downloads

Build Status Dependency Status devDependency Status

js-standard-style semantic-release

Adapter for the Jasmine testing framework.

Installation

npm install karma-jasmine --save-dev

Configuration

// karma.conf.js
module.exports = function(config) {
  config.set({
    frameworks: ['jasmine'],

    files: [
      '*.js'
    ]
  })
}

If you want to run only some tests matching a given pattern you can do this in the following way

$ karma start &
$ karma run -- --grep=<pattern>

or

module.exports = function(config) {
  config.set({
    ...
    client: {
      args: ['--grep', '<pattern>'],
      ...
    }
  })
}

If you want to pass configuration options directly to jasmine you can do this in the following way

module.exports = function(config) {
  config.set({
    client: {
      jasmine: {
        random: true,
        seed: '4321',
        oneFailurePerSpec: true,
        failFast: true,
        timeoutInterval: 1000
      }
    }
  })
}

Debug by URL

Failing tests print a debug URL with ?spec=. Use it with --no_single_run and paste it into your browser to focus on a single failing test.

Sharding

By setting config.client.shardIndex and config.client.totalShards, you can run a subset of the full set of specs. Complete sharding support needs to be done in the process that calls karma, and would need to support test result integration across shards.

For more information on Karma see the homepage.

karma-jasmine's People

Contributors

dependabot[bot] avatar dignifiedquire avatar dirktoewe avatar dtychshenko avatar fadc80 avatar globin avatar gnrlbzik avatar joaopapereira avatar johnjbarton avatar kyliau avatar lalem001 avatar limonte avatar maksimr avatar milanlempera avatar mschaaf avatar nicojs avatar olegskl avatar pablojim avatar r-park avatar readme42 avatar sahat avatar semantic-release-bot avatar snyk-bot avatar tehvgg avatar themodmaker avatar thorn0 avatar vavrecan avatar vojtajina avatar xhmikosr avatar zzo avatar

Watchers

avatar

karma-jasmine's Issues

WS-2017-3772 (High) detected in underscore.string-3.3.5.tgz - autoclosed

WS-2017-3772 - High Severity Vulnerability

Vulnerable Library - underscore.string-3.3.5.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/underscore.string/package.json

Dependency Hierarchy:

  • grunt-1.3.0.tgz (Root Library)
    • grunt-legacy-util-2.0.1.tgz
      • underscore.string-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28502 (High) detected in xmlhttprequest-ssl-1.5.5.tgz - autoclosed

CVE-2020-28502 - High Severity Vulnerability

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

  • karma-5.0.8.tgz (Root Library)
    • socket.io-2.4.1.tgz
      • socket.io-client-2.4.0.tgz
        • engine.io-client-3.5.0.tgz
          • xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (karma): 5.0.9

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._reinterpolate:3.0.0

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

conventional-changelog-core:4.1.7
        └─ git-raw-commits:2.0.0
              └─ lodash.template:4.5.0
                    └─ lodash._reinterpolate:3.0.0
                    └─ lodash.templatesettings:4.2.0
                          └─ lodash._reinterpolate:3.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 6.9) Vulnerability due to usage of socket.io:2.1.1

Vulnerabilities

DepShield reports that this application's usage of socket.io:2.1.1 results in the following vulnerability(s):

Occurrences

socket.io:2.1.1 is a transitive dependency introduced by the following direct dependency(s):

karma:4.4.1
        └─ socket.io:2.1.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of glob-parent:3.1.0

Vulnerabilities

DepShield reports that this application's usage of glob-parent:3.1.0 results in the following vulnerability(s):

Occurrences

glob-parent:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

jasmine:3.6.1
        └─ fast-glob:2.2.7
              └─ glob-parent:3.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7598 (Medium) detected in minimist-1.2.0.tgz - autoclosed

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/get-pkg-repo/node_modules/minimist/package.json,/node_modules/grunt-conventional-changelog/node_modules/minimist/package.json,/node_modules/conventional-github-releaser/node_modules/minimist/package.json

Dependency Hierarchy:

  • grunt-conventional-changelog-6.1.0.tgz (Root Library)
    • conventional-changelog-1.1.24.tgz
      • conventional-changelog-core-2.0.11.tgz
        • conventional-changelog-writer-3.0.9.tgz
          • meow-4.0.1.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 5b4ded195decdcc676462fc56dd120baadf63204

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of hosted-git-info:2.8.5

Vulnerabilities

DepShield reports that this application's usage of hosted-git-info:2.8.5 results in the following vulnerability(s):

Occurrences

hosted-git-info:2.8.5 is a transitive dependency introduced by the following direct dependency(s):

conventional-changelog-core:4.1.7
        └─ get-pkg-repo:1.4.0
              └─ hosted-git-info:2.8.5
        └─ normalize-package-data:2.5.0
              └─ hosted-git-info:2.8.5

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz - autoclosed

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/meow/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • cli-9.1.1.tgz (Root Library)
    • meow-5.0.0.tgz
      • yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 5b4ded195decdcc676462fc56dd120baadf63204

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (@commitlint/cli): 9.1.2

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of engine.io:3.5.0

Vulnerabilities

DepShield reports that this application's usage of engine.io:3.5.0 results in the following vulnerability(s):

Occurrences

engine.io:3.5.0 is a transitive dependency introduced by the following direct dependency(s):

karma:5.0.8
        └─ socket.io:2.4.1
              └─ engine.io:3.5.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-36049 (High) detected in socket.io-parser-3.2.0.tgz - autoclosed

CVE-2020-36049 - High Severity Vulnerability

Vulnerable Library - socket.io-parser-3.2.0.tgz

socket.io protocol parser

Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-3.2.0.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/socket.io-parser/package.json

Dependency Hierarchy:

  • karma-4.4.1.tgz (Root Library)
    • socket.io-2.1.1.tgz
      • socket.io-parser-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Publish Date: 2021-01-08

URL: CVE-2020-36049

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xfhh-g9f5-x4m4

Release Date: 2021-01-08

Fix Resolution: socket.io-parser - 3.3.2,3.4.1

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of socket.io-parser:3.2.0

Vulnerabilities

DepShield reports that this application's usage of socket.io-parser:3.2.0 results in the following vulnerability(s):

Occurrences

socket.io-parser:3.2.0 is a transitive dependency introduced by the following direct dependency(s):

karma:4.4.1
        └─ socket.io:2.1.1
              └─ socket.io-client:2.1.1
                    └─ socket.io-parser:3.2.0
              └─ socket.io-parser:3.2.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-36048 (High) detected in engine.io-3.5.0.tgz - autoclosed

CVE-2020-36048 - High Severity Vulnerability

Vulnerable Library - engine.io-3.5.0.tgz

The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server

Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/engine.io/package.json

Dependency Hierarchy:

  • karma-5.0.8.tgz (Root Library)
    • socket.io-2.4.1.tgz
      • engine.io-3.5.0.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Publish Date: 2021-01-08

URL: CVE-2020-36048

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048

Release Date: 2021-01-08

Fix Resolution (engine.io): 3.6.0

Direct dependency fix Resolution (karma): 6.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 8.8) Vulnerability due to usage of minimist:1.2.0

Vulnerabilities

DepShield reports that this application's usage of minimist:1.2.0 results in the following vulnerability(s):

Occurrences

minimist:1.2.0 is a transitive dependency introduced by the following direct dependency(s):

conventional-changelog-core:4.1.7
        └─ get-pkg-repo:1.4.0
              └─ meow:3.7.0
                    └─ minimist:1.2.0

grunt-conventional-changelog:6.1.0
        └─ conventional-changelog:1.1.24
              └─ conventional-changelog-core:2.0.11
                    └─ conventional-changelog-writer:3.0.9
                          └─ meow:4.0.1
                                └─ minimist:1.2.0

grunt-conventional-github-releaser:1.0.0
        └─ conventional-github-releaser:1.1.13
              └─ conventional-changelog:1.1.24
                    └─ conventional-changelog-core:2.0.11
                          └─ conventional-changelog-writer:3.0.9
                                └─ meow:4.0.1
                                      └─ minimist:1.2.0
                          └─ conventional-commits-parser:2.1.7
                                └─ meow:4.0.1
                                      └─ minimist:1.2.0
                          └─ git-raw-commits:1.3.6
                                └─ meow:4.0.1
                                      └─ minimist:1.2.0
              └─ git-semver-tags:1.3.6
                    └─ meow:4.0.1
                          └─ minimist:1.2.0
              └─ meow:3.7.0
                    └─ minimist:1.2.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 5.3) Vulnerability due to usage of ws:7.4.2

Vulnerabilities

DepShield reports that this application's usage of ws:7.4.2 results in the following vulnerability(s):

Occurrences

ws:7.4.2 is a transitive dependency introduced by the following direct dependency(s):

karma:5.0.8
        └─ socket.io:2.4.1
              └─ engine.io:3.5.0
                    └─ ws:7.4.2
              └─ socket.io-client:2.4.0
                    └─ engine.io-client:3.5.0
                          └─ ws:7.4.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of engine.io:3.2.1

Vulnerabilities

DepShield reports that this application's usage of engine.io:3.2.1 results in the following vulnerability(s):

Occurrences

engine.io:3.2.1 is a transitive dependency introduced by the following direct dependency(s):

karma:4.4.1
        └─ socket.io:2.1.1
              └─ engine.io:3.2.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of ini:1.3.8

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:9.1.1
        └─ resolve-global:1.0.0
              └─ global-dirs:0.1.1
                    └─ ini:1.3.8

conventional-changelog-core:4.1.7
        └─ git-remote-origin-url:2.0.0
              └─ gitconfiglocal:1.0.0
                    └─ ini:1.3.8

grunt:1.2.1
        └─ grunt-cli:1.3.2
              └─ liftoff:2.5.0
                    └─ findup-sync:2.0.0
                          └─ resolve-dir:1.0.1
                                └─ global-modules:1.0.0
                                      └─ global-prefix:1.0.2
                                            └─ ini:1.3.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of http-proxy:1.18.1

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.1 results in the following vulnerability(s):

Occurrences

http-proxy:1.18.1 is a transitive dependency introduced by the following direct dependency(s):

karma:4.4.1
        └─ http-proxy:1.18.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash:4.17.19

Vulnerabilities

DepShield reports that this application's usage of lodash:4.17.19 results in the following vulnerability(s):

Occurrences

lodash:4.17.19 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:9.1.1
        └─ @commitlint/lint:9.1.1
              └─ @commitlint/rules:9.1.1
                    └─ @commitlint/ensure:9.1.1
                          └─ lodash:4.17.19
        └─ @commitlint/load:9.1.1
              └─ @commitlint/resolve-extends:9.1.1
                    └─ lodash:4.17.19
              └─ lodash:4.17.19
        └─ lodash:4.17.19

@commitlint/config-conventional:9.1.1
        └─ conventional-changelog-conventionalcommits:4.3.0
              └─ lodash:4.17.19

conventional-changelog-core:4.1.7
        └─ conventional-changelog-writer:4.0.17
              └─ lodash:4.17.19
        └─ conventional-commits-parser:3.1.0
              └─ lodash:4.17.19
        └─ lodash:4.17.19

grunt:1.2.1
        └─ grunt-legacy-log:2.0.0
              └─ grunt-legacy-log-utils:2.0.1
                    └─ lodash:4.17.19
              └─ lodash:4.17.19
        └─ grunt-legacy-util:1.1.1
              └─ lodash:4.17.19

grunt-conventional-changelog:6.1.0
        └─ conventional-changelog:1.1.24
              └─ conventional-changelog-core:2.0.11
                    └─ conventional-changelog-writer:3.0.9
                          └─ lodash:4.17.19
                    └─ conventional-commits-parser:2.1.7
                          └─ lodash:4.17.19
                    └─ lodash:4.17.19

grunt-conventional-github-releaser:1.0.0
        └─ conventional-github-releaser:1.1.13
              └─ conventional-changelog:1.1.24
                    └─ conventional-changelog-core:2.0.11
                          └─ conventional-changelog-writer:3.0.9
                                └─ lodash:4.17.19
                          └─ conventional-commits-parser:2.1.7
                                └─ lodash:4.17.19
                          └─ lodash:4.17.19

grunt-eslint:23.0.0
        └─ eslint:7.6.0
              └─ lodash:4.17.19
              └─ table:5.4.6
                    └─ lodash:4.17.19

grunt-karma:4.0.0
        └─ lodash:4.17.19

karma:4.4.1
        └─ lodash:4.17.19
        └─ log4js:4.5.1
              └─ streamroller:1.0.6
                    └─ lodash:4.17.19
                    └─ async:2.6.3
                          └─ lodash:4.17.19

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-28481 (Medium) detected in socket.io-2.1.1.tgz - autoclosed

CVE-2020-28481 - Medium Severity Vulnerability

Vulnerable Library - socket.io-2.1.1.tgz

node.js realtime framework server

Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/socket.io/package.json

Dependency Hierarchy:

  • karma-4.4.1.tgz (Root Library)
    • socket.io-2.1.1.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Publish Date: 2021-01-19

URL: CVE-2020-28481

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481

Release Date: 2021-01-19

Fix Resolution: 2.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.5.tgz - autoclosed

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.5.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • conventional-changelog-core-4.1.7.tgz (Root Library)
    • get-pkg-repo-1.4.0.tgz
      • hosted-git-info-2.8.5.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 8.8) Vulnerability due to usage of minimist:0.0.8

Vulnerabilities

DepShield reports that this application's usage of minimist:0.0.8 results in the following vulnerability(s):

Occurrences

minimist:0.0.8 is a transitive dependency introduced by the following direct dependency(s):

karma:4.4.1
        └─ optimist:0.6.1
              └─ minimist:0.0.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-28282 (High) detected in getobject-0.1.0.tgz - autoclosed

CVE-2020-28282 - High Severity Vulnerability

Vulnerable Library - getobject-0.1.0.tgz

get.and.set.deep.objects.easily = true

Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/getobject/package.json

Dependency Hierarchy:

  • grunt-1.2.1.tgz (Root Library)
    • grunt-legacy-util-1.1.1.tgz
      • getobject-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 5b4ded195decdcc676462fc56dd120baadf63204

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-12-29

URL: CVE-2020-28282

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/getobject

Release Date: 2020-12-29

Fix Resolution: getobject - 1.0.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of yargs-parser:10.1.0

Vulnerabilities

DepShield reports that this application's usage of yargs-parser:10.1.0 results in the following vulnerability(s):

Occurrences

yargs-parser:10.1.0 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:9.1.1
        └─ meow:5.0.0
              └─ yargs-parser:10.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7733 (High) detected in ua-parser-js-0.7.21.tgz - autoclosed

CVE-2020-7733 - High Severity Vulnerability

Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • karma-5.0.8.tgz (Root Library)
    • ua-parser-js-0.7.21.tgz (Vulnerable Library)

Found in HEAD commit: c7d3ef39e2adf00f4ceec1ffae2d36ce56c19cc0

Found in base branch: master

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (karma): 5.2.3

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:5.1.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

jasmine:3.6.1
        └─ fast-glob:2.2.7
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-31597 (High) detected in xmlhttprequest-ssl-1.5.5.tgz - autoclosed

CVE-2021-31597 - High Severity Vulnerability

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json

Dependency Hierarchy:

  • karma-5.0.8.tgz (Root Library)
    • socket.io-2.4.1.tgz
      • socket.io-client-2.4.0.tgz
        • engine.io-client-3.5.0.tgz
          • xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Publish Date: 2021-04-23

URL: CVE-2021-31597

CVSS 3 Score Details (9.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597

Release Date: 2021-04-23

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (karma): 5.0.9

Step up your Open Source Security Game with Mend here

CVE-2021-27292 (High) detected in ua-parser-js-0.7.21.tgz - autoclosed

CVE-2021-27292 - High Severity Vulnerability

Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • karma-5.0.8.tgz (Root Library)
    • ua-parser-js-0.7.21.tgz (Vulnerable Library)

Found in HEAD commit: c7d3ef39e2adf00f4ceec1ffae2d36ce56c19cc0

Found in base branch: master

Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution (ua-parser-js): 0.7.24

Direct dependency fix Resolution (karma): 6.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:3.2.2

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

jasmine:3.6.1
        └─ fast-glob:2.2.7
              └─ micromatch:3.1.10
                    └─ braces:2.3.2
                          └─ fill-range:4.0.0
                                └─ is-number:3.0.0
                                      └─ kind-of:3.2.2
                          └─ snapdragon-node:2.1.1
                                └─ snapdragon-util:3.0.1
                                      └─ kind-of:3.2.2
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ has-value:1.0.0
                                            └─ has-values:1.0.0
                                                  └─ is-number:3.0.0
                                                        └─ kind-of:3.2.2
                                      └─ to-object-path:0.3.0
                                            └─ kind-of:3.2.2
                                └─ class-utils:0.3.6
                                      └─ static-extend:0.1.2
                                            └─ object-copy:0.1.0
                                                  └─ kind-of:3.2.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7729 (High) detected in grunt-1.2.1.tgz - autoclosed

CVE-2020-7729 - High Severity Vulnerability

Vulnerable Library - grunt-1.2.1.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-1.2.1.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: /node_modules/grunt/package.json

Dependency Hierarchy:

  • grunt-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 5b4ded195decdcc676462fc56dd120baadf63204

Found in base branch: master

Vulnerability Details

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Publish Date: 2020-09-03

URL: CVE-2020-7729

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1684

Release Date: 2020-10-27

Fix Resolution: grunt - 1.3.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23425 (Medium) detected in trim-off-newlines-1.0.1.tgz - autoclosed

CVE-2021-23425 - Medium Severity Vulnerability

Vulnerable Library - trim-off-newlines-1.0.1.tgz

Similar to String#trim() but removes only newlines

Library home page: https://registry.npmjs.org/trim-off-newlines/-/trim-off-newlines-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-off-newlines/package.json

Dependency Hierarchy:

  • conventional-changelog-core-4.1.7.tgz (Root Library)
    • conventional-commits-parser-3.1.0.tgz
      • trim-off-newlines-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: c7d3ef39e2adf00f4ceec1ffae2d36ce56c19cc0

Found in base branch: master

Vulnerability Details

All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing.

Publish Date: 2021-08-18

URL: CVE-2021-23425

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23425

Release Date: 2021-08-18

Fix Resolution (trim-off-newlines): 1.0.2

Direct dependency fix Resolution (conventional-changelog-core): 4.1.8

Step up your Open Source Security Game with Mend here

CVE-2020-28500 (Medium) detected in lodash-4.17.19.tgz - autoclosed

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-9.1.1.tgz (Root Library)
    • lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:4.0.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

jasmine:3.6.1
        └─ fast-glob:2.2.7
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ has-value:1.0.0
                                            └─ has-values:1.0.0
                                                  └─ kind-of:4.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 9.8) Vulnerability due to usage of handlebars:4.7.6

Vulnerabilities

DepShield reports that this application's usage of handlebars:4.7.6 results in the following vulnerability(s):

Occurrences

handlebars:4.7.6 is a transitive dependency introduced by the following direct dependency(s):

conventional-changelog-core:4.1.7
        └─ conventional-changelog-writer:4.0.17
              └─ handlebars:4.7.6

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz, glob-parent-5.1.0.tgz - autoclosed

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.0.tgz

glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • jasmine-3.6.1.tgz (Root Library)
    • fast-glob-2.2.7.tgz
      • glob-parent-3.1.0.tgz (Vulnerable Library)
glob-parent-5.1.0.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • grunt-eslint-23.0.0.tgz (Root Library)
    • eslint-7.6.0.tgz
      • glob-parent-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (jasmine): 3.6.2

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (grunt-eslint): 24.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz - autoclosed

CVE-2020-28275 - High Severity Vulnerability

Vulnerable Library - cache-base-1.0.1.tgz

Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.

Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/cache-base/package.json

Dependency Hierarchy:

  • jasmine-3.6.1.tgz (Root Library)
    • fast-glob-2.2.7.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 5b4ded195decdcc676462fc56dd120baadf63204

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-11-07

URL: CVE-2020-28275

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23369 (High) detected in handlebars-4.7.1.tgz, handlebars-4.7.6.tgz - autoclosed

CVE-2021-23369 - High Severity Vulnerability

Vulnerable Libraries - handlebars-4.7.1.tgz, handlebars-4.7.6.tgz

handlebars-4.7.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.1.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-conventional-changelog-6.1.0.tgz (Root Library)
    • conventional-changelog-1.1.24.tgz
      • conventional-changelog-core-2.0.11.tgz
        • conventional-changelog-writer-3.0.9.tgz
          • handlebars-4.7.1.tgz (Vulnerable Library)
handlebars-4.7.6.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.6.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/conventional-changelog-writer/node_modules/handlebars/package.json

Dependency Hierarchy:

  • conventional-changelog-core-4.1.7.tgz (Root Library)
    • conventional-changelog-writer-4.0.17.tgz
      • handlebars-4.7.6.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution: handlebars - 4.7.7

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of socket.io-parser:3.3.2

Vulnerabilities

DepShield reports that this application's usage of socket.io-parser:3.3.2 results in the following vulnerability(s):

Occurrences

socket.io-parser:3.3.2 is a transitive dependency introduced by the following direct dependency(s):

karma:5.0.8
        └─ socket.io:2.4.1
              └─ socket.io-client:2.4.0
                    └─ socket.io-parser:3.3.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of q:1.5.1

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:9.1.1
        └─ @commitlint/lint:9.1.1
              └─ @commitlint/parse:9.1.1
                    └─ conventional-changelog-angular:5.0.11
                          └─ q:1.5.1

@commitlint/config-conventional:9.1.1
        └─ conventional-changelog-conventionalcommits:4.3.0
              └─ q:1.5.1

conventional-changelog:3.1.21
        └─ conventional-changelog-atom:2.0.7
              └─ q:1.5.1
        └─ conventional-changelog-codemirror:2.0.7
              └─ q:1.5.1
        └─ conventional-changelog-ember:2.0.8
              └─ q:1.5.1
        └─ conventional-changelog-eslint:3.0.8
              └─ q:1.5.1
        └─ conventional-changelog-express:2.0.5
              └─ q:1.5.1
        └─ conventional-changelog-jquery:3.0.10
              └─ q:1.5.1
        └─ conventional-changelog-jshint:2.0.8
              └─ q:1.5.1
        └─ conventional-changelog-angular:5.0.11
              └─ q:1.5.1

conventional-changelog-core:4.1.7
        └─ q:1.5.1

grunt-conventional-changelog:6.1.0
        └─ conventional-changelog:1.1.24
              └─ conventional-changelog-angular:1.6.6
                    └─ q:1.5.1
              └─ conventional-changelog-jscs:0.1.0
                    └─ q:1.5.1
              └─ conventional-changelog-atom:0.2.8
                    └─ q:1.5.1
              └─ conventional-changelog-codemirror:0.3.8
                    └─ q:1.5.1
              └─ conventional-changelog-core:2.0.11
                    └─ q:1.5.1
              └─ conventional-changelog-ember:0.3.12
                    └─ q:1.5.1
              └─ conventional-changelog-eslint:1.0.9
                    └─ q:1.5.1
              └─ conventional-changelog-express:0.3.6
                    └─ q:1.5.1
              └─ conventional-changelog-jquery:0.1.0
                    └─ q:1.5.1
              └─ conventional-changelog-jshint:0.3.8
                    └─ q:1.5.1
        └─ q:1.5.1

grunt-conventional-github-releaser:1.0.0
        └─ conventional-github-releaser:1.1.13
              └─ conventional-changelog:1.1.24
                    └─ conventional-changelog-atom:0.2.8
                          └─ q:1.5.1
                    └─ conventional-changelog-codemirror:0.3.8
                          └─ q:1.5.1
                    └─ conventional-changelog-core:2.0.11
                          └─ q:1.5.1
                    └─ conventional-changelog-ember:0.3.12
                          └─ q:1.5.1
                    └─ conventional-changelog-eslint:1.0.9
                          └─ q:1.5.1
                    └─ conventional-changelog-express:0.3.6
                          └─ q:1.5.1
                    └─ conventional-changelog-jquery:0.1.0
                          └─ q:1.5.1
                    └─ conventional-changelog-jshint:0.3.8
                          └─ q:1.5.1
              └─ q:1.5.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of glob-parent:5.1.0

Vulnerabilities

DepShield reports that this application's usage of glob-parent:5.1.0 results in the following vulnerability(s):

Occurrences

glob-parent:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

grunt-eslint:23.0.0
        └─ eslint:7.6.0
              └─ glob-parent:5.1.0

karma:5.0.8
        └─ chokidar:3.5.0
              └─ glob-parent:5.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-8116 (High) detected in dot-prop-3.0.0.tgz - autoclosed

CVE-2020-8116 - High Severity Vulnerability

Vulnerable Library - dot-prop-3.0.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dot-prop/package.json

Dependency Hierarchy:

  • config-conventional-9.1.1.tgz (Root Library)
    • conventional-changelog-conventionalcommits-4.3.0.tgz
      • compare-func-1.3.2.tgz
        • dot-prop-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 5b4ded195decdcc676462fc56dd120baadf63204

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (@commitlint/config-conventional): 10.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23383 (High) detected in handlebars-4.7.1.tgz, handlebars-4.7.6.tgz - autoclosed

CVE-2021-23383 - High Severity Vulnerability

Vulnerable Libraries - handlebars-4.7.1.tgz, handlebars-4.7.6.tgz

handlebars-4.7.1.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.1.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-conventional-changelog-6.1.0.tgz (Root Library)
    • conventional-changelog-1.1.24.tgz
      • conventional-changelog-core-2.0.11.tgz
        • conventional-changelog-writer-3.0.9.tgz
          • handlebars-4.7.1.tgz (Vulnerable Library)
handlebars-4.7.6.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.6.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/conventional-changelog-writer/node_modules/handlebars/package.json

Dependency Hierarchy:

  • conventional-changelog-core-4.1.7.tgz (Root Library)
    • conventional-changelog-writer-4.0.17.tgz
      • handlebars-4.7.6.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution: handlebars - 4.7.7

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 8.8) Vulnerability due to usage of grunt:1.2.1

Vulnerabilities

DepShield reports that this application's usage of grunt:1.2.1 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-23337 (High) detected in lodash-4.17.19.tgz - autoclosed

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-9.1.1.tgz (Root Library)
    • lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.6.9

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

eslint-plugin-import:2.22.0
        └─ debug:2.6.9
        └─ eslint-import-resolver-node:0.3.4
              └─ debug:2.6.9
        └─ eslint-module-utils:2.6.0
              └─ debug:2.6.9

jasmine:3.6.1
        └─ fast-glob:2.2.7
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ debug:2.6.9
                    └─ snapdragon:0.8.2
                          └─ debug:2.6.9

karma:4.4.1
        └─ body-parser:1.19.0
              └─ debug:2.6.9
        └─ connect:3.7.0
              └─ debug:2.6.9
              └─ finalhandler:1.1.2
                    └─ debug:2.6.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 9.8) Vulnerability due to usage of handlebars:4.7.1

Vulnerabilities

DepShield reports that this application's usage of handlebars:4.7.1 results in the following vulnerability(s):

Occurrences

handlebars:4.7.1 is a transitive dependency introduced by the following direct dependency(s):

grunt-conventional-changelog:6.1.0
        └─ conventional-changelog:1.1.24
              └─ conventional-changelog-core:2.0.11
                    └─ conventional-changelog-writer:3.0.9
                          └─ handlebars:4.7.1

grunt-conventional-github-releaser:1.0.0
        └─ conventional-github-releaser:1.1.13
              └─ conventional-changelog:1.1.24
                    └─ conventional-changelog-core:2.0.11
                          └─ conventional-changelog-writer:3.0.9
                                └─ handlebars:4.7.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

WS-2018-0650 (High) detected in useragent-2.3.0.tgz - autoclosed

WS-2018-0650 - High Severity Vulnerability

Vulnerable Library - useragent-2.3.0.tgz

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/useragent/package.json

Dependency Hierarchy:

  • karma-4.4.1.tgz (Root Library)
    • useragent-2.3.0.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.

Publish Date: 2018-02-27

URL: WS-2018-0650

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-32640 (Medium) detected in ws-7.4.2.tgz - autoclosed

CVE-2021-32640 - Medium Severity Vulnerability

Vulnerable Library - ws-7.4.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.2.tgz

Path to dependency file: karma-jasmine/package.json

Path to vulnerable library: karma-jasmine/node_modules/ws/package.json

Dependency Hierarchy:

  • karma-5.0.8.tgz (Root Library)
    • socket.io-2.4.1.tgz
      • engine.io-3.5.0.tgz
        • ws-7.4.2.tgz (Vulnerable Library)

Found in HEAD commit: c7d3ef39e2adf00f4ceec1ffae2d36ce56c19cc0

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Step up your Open Source Security Game with WhiteSource here

CVE-2021-33623 (High) detected in multiple libraries - autoclosed

CVE-2021-33623 - High Severity Vulnerability

Vulnerable Libraries - trim-newlines-1.0.0.tgz, trim-newlines-3.0.0.tgz, trim-newlines-2.0.0.tgz

trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/conventional-github-releaser/node_modules/meow/node_modules/trim-newlines/package.json,/node_modules/get-pkg-repo/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • grunt-conventional-github-releaser-1.0.0.tgz (Root Library)
    • conventional-github-releaser-1.1.13.tgz
      • meow-3.7.0.tgz
        • trim-newlines-1.0.0.tgz (Vulnerable Library)
trim-newlines-3.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/git-semver-tags/node_modules/trim-newlines/package.json,/node_modules/conventional-commits-parser/node_modules/trim-newlines/package.json,/node_modules/git-raw-commits/node_modules/trim-newlines/package.json,/node_modules/conventional-changelog-writer/node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • cli-9.1.1.tgz (Root Library)
    • read-9.1.1.tgz
      • git-raw-commits-2.0.7.tgz
        • meow-7.1.0.tgz
          • trim-newlines-3.0.0.tgz (Vulnerable Library)
trim-newlines-2.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-newlines/package.json

Dependency Hierarchy:

  • cli-9.1.1.tgz (Root Library)
    • meow-5.0.0.tgz
      • trim-newlines-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ac7f2ab033a9aabf92612640d45305579836a416

Found in base branch: master

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (@commitlint/cli): 9.1.2

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (@commitlint/cli): 9.1.2

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of ua-parser-js:0.7.21

Vulnerabilities

DepShield reports that this application's usage of ua-parser-js:0.7.21 results in the following vulnerability(s):

Occurrences

ua-parser-js:0.7.21 is a transitive dependency introduced by the following direct dependency(s):

karma:5.0.8
        └─ ua-parser-js:0.7.21

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 8.8) Vulnerability due to usage of xmlhttprequest-ssl:1.5.5

Vulnerabilities

DepShield reports that this application's usage of xmlhttprequest-ssl:1.5.5 results in the following vulnerability(s):

Occurrences

xmlhttprequest-ssl:1.5.5 is a transitive dependency introduced by the following direct dependency(s):

karma:4.4.1
        └─ socket.io:2.1.1
              └─ socket.io-client:2.1.1
                    └─ engine.io-client:3.2.1
                          └─ xmlhttprequest-ssl:1.5.5

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.