Git Product home page Git Product logo

turkdevops / vscode Goto Github PK

View Code? Open in Web Editor NEW

This project forked from microsoft/vscode

1.0 2.0 0.0 521.77 MB

Visual Studio Code

Home Page: https://code.visualstudio.com

License: MIT License

JavaScript 3.48% TypeScript 93.53% Batchfile 0.03% Shell 0.11% CSS 1.46% HTML 0.54% PowerShell 0.02% Python 0.01% Inno Setup 0.78% Roff 0.01% SCSS 0.02% Less 0.01% Dockerfile 0.01% Java 0.01% PHP 0.01% Hack 0.01% Makefile 0.01% Go 0.01% C++ 0.01% Pug 0.01%

vscode's Introduction

Visual Studio Code - Open Source ("Code - OSS")

Build Status Feature Requests Bugs Gitter

The Repository

This repository ("Code - OSS") is where we (Microsoft) develop the Visual Studio Code product. Not only do we work on code and issues here, we also publish our roadmap, monthly iteration plans, and our endgame plans. This source code is available to everyone under the standard MIT license.

Visual Studio Code

VS Code in action

Visual Studio Code is a distribution of the Code - OSS repository with Microsoft specific customizations released under a traditional Microsoft product license.

Visual Studio Code combines the simplicity of a code editor with what developers need for their core edit-build-debug cycle. It provides comprehensive code editing, navigation, and understanding support along with lightweight debugging, a rich extensibility model, and lightweight integration with existing tools.

Visual Studio Code is updated monthly with new features and bug fixes. You can download it for Windows, macOS, and Linux on Visual Studio Code's website. To get the latest releases every day, install the Insiders build.

Contributing

There are many ways in which you can participate in the project, for example:

If you are interested in fixing issues and contributing directly to the code base, please see the document How to Contribute, which covers the following:

Feedback

Related Projects

Many of the core components and extensions to VS Code live in their own repositories on GitHub. For example, the node debug adapter and the mono debug adapter have their own repositories. For a complete list, please visit the Related Projects page on our wiki.

Bundled Extensions

VS Code includes a set of built-in extensions located in the extensions folder, including grammars and snippets for many languages. Extensions that provide rich language support (code completion, Go to Definition) for a language have the suffix language-features. For example, the json extension provides coloring for JSON and the json-language-features provides rich language support for JSON.

Development Container

This repository includes a Visual Studio Code Remote - Containers / Codespaces development container.

  • For Remote - Containers, use the Remote-Containers: Open Repository in Container... command which creates a Docker volume for better disk I/O on macOS and Windows.
  • For Codespaces, install the Visual Studio Codespaces extension in VS Code, and use the Codespaces: Create New Codespace command.

Docker / the Codespace should have at least 4 Cores and 6 GB of RAM (8 GB recommended) to run full build. See the development container README for more information.

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

License

Copyright (c) Microsoft Corporation. All rights reserved.

Licensed under the MIT license.

vscode's People

Contributors

aeschli avatar alexdima avatar alexr00 avatar bgashler1 avatar bpasero avatar chrisdias avatar chrmarti avatar cleidigh avatar connor4312 avatar dbaeumer avatar dependabot[bot] avatar dstorey avatar egamma avatar isidorn avatar jeanp413 avatar joaomoreno avatar jrieken avatar kieferrm avatar lixire avatar michelkaporin avatar mjbvz avatar octref avatar ramya-rao-a avatar rebornix avatar roblourens avatar sandy081 avatar sbatten avatar tyriar avatar usernamehw avatar weinand avatar

Stargazers

avatar

Watchers

avatar avatar

vscode's Issues

[DepShield] (CVSS 8.8) Vulnerability due to usage of js-yaml:3.7.0

Vulnerabilities

DepShield reports that this application's usage of js-yaml:3.7.0 results in the following vulnerability(s):

Occurrences

js-yaml:3.7.0 is a transitive dependency introduced by the following direct dependency(s):

gulp-cssnano:2.1.3
        └─ cssnano:3.10.0
              └─ postcss-svgo:2.1.6
                    └─ svgo:0.7.2
                          └─ js-yaml:3.7.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of q:1.5.1

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

asar:0.14.6
        └─ mksnapshot:0.3.5
              └─ decompress-zip:0.3.3
                    └─ q:1.5.1

gulp-cssnano:2.1.3
        └─ cssnano:3.10.0
              └─ postcss-svgo:2.1.6
                    └─ svgo:0.7.2
                          └─ coa:1.0.4
                                └─ q:1.5.1

vsce:1.48.0
        └─ vso-node-api:6.1.2-preview
              └─ q:1.5.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2019-20149 (High) detected in kind-of-6.0.2.tgz - autoclosed

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/kind-of/package.json,/extensions/markdown-language-features/node_modules/kind-of/package.json,/extensions/vscode-test-resolver/node_modules/kind-of/package.json

Dependency Hierarchy:

  • vscode-1.1.5.tgz (Root Library)
    • gulp-symdest-1.1.1.tgz
      • vinyl-fs-2.4.4.tgz
        • glob-stream-5.3.5.tgz
          • micromatch-2.3.11.tgz
            • braces-1.8.5.tgz
              • expand-range-1.8.2.tgz
                • fill-range-2.2.4.tgz
                  • randomatic-3.1.1.tgz
                    • kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (vscode): 1.1.6

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json,/extensions/html-language-features/server/node_modules/y18n/package.json,/extensions/css-language-features/node_modules/y18n/package.json,/extensions/css-language-features/server/node_modules/y18n/package.json

Dependency Hierarchy:

  • mocha-7.0.1.tgz (Root Library)
    • yargs-13.3.0.tgz
      • y18n-4.0.0.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (mocha): 7.1.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.isinteger:4.0.4

Vulnerabilities

DepShield reports that this application's usage of lodash.isinteger:4.0.4 results in the following vulnerability(s):

Occurrences

lodash.isinteger:4.0.4 is a transitive dependency introduced by the following direct dependency(s):

vscode-nsfw:1.2.8
        └─ lodash.isinteger:4.0.4

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 4.3) Vulnerability due to usage of bl:4.1.0

Vulnerabilities

DepShield reports that this application's usage of bl:4.1.0 results in the following vulnerability(s):

Occurrences

bl:4.1.0 is a transitive dependency introduced by the following direct dependency(s):

deemon:1.6.0
        └─ bl:4.1.0

keytar:5.6.0
        └─ prebuild-install:5.3.3
              └─ tar-fs:2.1.1
                    └─ tar-stream:2.2.0
                          └─ bl:4.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:4.0.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

ts-loader:4.5.0
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ has-value:1.0.0
                                      └─ has-values:1.0.0
                                            └─ kind-of:4.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7608 (Medium) detected in yargs-parser-13.1.1.tgz - autoclosed

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-13.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz

Path to dependency file: /extensions/html-language-features/server/package.json

Path to vulnerable library: /extensions/html-language-features/server/node_modules/yargs-parser/package.json,/extensions/css-language-features/server/node_modules/yargs-parser/package.json,/extensions/css-language-features/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • mocha-7.0.1.tgz (Root Library)
    • yargs-parser-13.1.1.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (mocha): 7.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-16769 (Medium) detected in serialize-javascript-1.5.0.tgz, serialize-javascript-1.9.1.tgz - autoclosed

CVE-2019-16769 - Medium Severity Vulnerability

Vulnerable Libraries - serialize-javascript-1.5.0.tgz, serialize-javascript-1.9.1.tgz

serialize-javascript-1.5.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

  • copy-webpack-plugin-4.5.2.tgz (Root Library)
    • serialize-javascript-1.5.0.tgz (Vulnerable Library)
serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /extensions/markdown-language-features/package.json

Path to vulnerable library: /extensions/markdown-language-features/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

  • webpack-4.41.2.tgz (Root Library)
    • terser-webpack-plugin-1.4.1.tgz
      • serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2020-01-17

Fix Resolution (serialize-javascript): 2.1.1

Direct dependency fix Resolution (copy-webpack-plugin): 5.0.5

Fix Resolution (serialize-javascript): 2.1.1

Direct dependency fix Resolution (webpack): 4.41.3

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:3.2.2

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

gulp:4.0.2
        └─ glob-watcher:5.0.5
              └─ chokidar:2.1.8
                    └─ braces:2.3.2
                          └─ fill-range:4.0.0
                                └─ is-number:3.0.0
                                      └─ kind-of:3.2.2

ts-loader:4.5.0
        └─ micromatch:3.1.10
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ has-value:1.0.0
                                      └─ has-values:1.0.0
                                            └─ is-number:3.0.0
                                                  └─ kind-of:3.2.2
                                └─ to-object-path:0.3.0
                                      └─ kind-of:3.2.2
                          └─ class-utils:0.3.6
                                └─ static-extend:0.1.2
                                      └─ object-copy:0.1.0
                                            └─ kind-of:3.2.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ is-accessor-descriptor:0.1.6
                                      └─ kind-of:3.2.2
                                └─ is-data-descriptor:0.1.4
                                      └─ kind-of:3.2.2

webpack:4.46.0
        └─ watchpack:1.7.5
              └─ watchpack-chokidar2:2.0.1
                    └─ chokidar:2.1.8
                          └─ braces:2.3.2
                                └─ fill-range:4.0.0
                                      └─ is-number:3.0.0
                                            └─ kind-of:3.2.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of yargs-parser:5.0.1

Vulnerabilities

DepShield reports that this application's usage of yargs-parser:5.0.1 results in the following vulnerability(s):

Occurrences

yargs-parser:5.0.1 is a transitive dependency introduced by the following direct dependency(s):

gulp:4.0.2
        └─ gulp-cli:2.3.0
              └─ yargs:7.1.2
                    └─ yargs-parser:5.0.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-27290 (High) detected in multiple libraries - autoclosed

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Libraries - ssri-6.0.1.tgz, ssri-5.3.0.tgz, ssri-8.0.0.tgz

ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssri/package.json

Dependency Hierarchy:

  • webpack-4.43.0.tgz (Root Library)
    • terser-webpack-plugin-1.4.4.tgz
      • cacache-12.0.4.tgz
        • ssri-6.0.1.tgz (Vulnerable Library)
ssri-5.3.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssri/package.json

Dependency Hierarchy:

  • copy-webpack-plugin-4.5.2.tgz (Root Library)
    • cacache-10.0.4.tgz
      • ssri-5.3.0.tgz (Vulnerable Library)
ssri-8.0.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-8.0.0.tgz

Path to dependency file: /extensions/typescript-language-features/package.json

Path to vulnerable library: /extensions/typescript-language-features/node_modules/ssri/package.json

Dependency Hierarchy:

  • copy-webpack-plugin-6.0.3.tgz (Root Library)
    • cacache-15.0.5.tgz
      • ssri-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (webpack): 4.44.0

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (copy-webpack-plugin): 5.0.0

Fix Resolution (ssri): 8.0.1

Direct dependency fix Resolution (copy-webpack-plugin): 6.0.4

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of ini:1.3.8

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

gulp-json-editor:2.5.5
        └─ js-beautify:1.13.13
              └─ config-chain:1.1.12
                    └─ ini:1.3.8

keytar:5.6.0
        └─ prebuild-install:5.3.3
              └─ rc:1.2.8
                    └─ ini:1.3.8

webpack-cli:3.3.12
        └─ findup-sync:3.0.0
              └─ resolve-dir:1.0.1
                    └─ global-modules:1.0.0
                          └─ global-prefix:1.0.2
                                └─ ini:1.3.8
        └─ global-modules:2.0.0
              └─ global-prefix:3.0.0
                    └─ ini:1.3.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 8.8) Vulnerability due to usage of minimist:0.0.8

Vulnerabilities

DepShield reports that this application's usage of minimist:0.0.8 results in the following vulnerability(s):

Occurrences

minimist:0.0.8 is a transitive dependency introduced by the following direct dependency(s):

mocha:2.5.3
        └─ mkdirp:0.5.1
              └─ minimist:0.0.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2019-10747 (High) detected in set-value-0.4.3.tgz, set-value-2.0.0.tgz - autoclosed

CVE-2019-10747 - High Severity Vulnerability

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/set-value/package.json

Dependency Hierarchy:

  • webpack-4.43.0.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • union-value-1.0.0.tgz
              • set-value-0.4.3.tgz (Vulnerable Library)
set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/set-value/package.json

Dependency Hierarchy:

  • webpack-4.43.0.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • set-value-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (webpack): 4.44.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (webpack): 4.44.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:1.1.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:1.1.0 results in the following vulnerability(s):

Occurrences

kind-of:1.1.0 is a transitive dependency introduced by the following direct dependency(s):

gulp-filter:5.1.0
        └─ plugin-error:0.1.2
              └─ extend-shallow:1.1.4
                    └─ kind-of:1.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 8.8) Vulnerability due to usage of minimist:0.0.10

Vulnerabilities

DepShield reports that this application's usage of minimist:0.0.10 results in the following vulnerability(s):

Occurrences

minimist:0.0.10 is a transitive dependency introduced by the following direct dependency(s):

gulp-azure-storage:0.10.0
        └─ optimist:0.6.1
              └─ minimist:0.0.10

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-28498 (Medium) detected in elliptic-6.5.3.tgz - autoclosed

CVE-2020-28498 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: vscode/extensions/simple-browser/node_modules/elliptic/package.json

Path to vulnerable library: vscode/extensions/simple-browser/node_modules/elliptic/package.json,vscode/yarn.lock

Dependency Hierarchy:

  • webpack-stream-5.2.1.tgz (Root Library)
    • webpack-4.46.0.tgz
      • node-libs-browser-2.2.1.tgz
        • crypto-browserify-3.12.0.tgz
          • create-ecdh-4.0.4.tgz
            • elliptic-6.5.3.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10744 (High) detected in multiple libraries - autoclosed

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Libraries - lodash.template-3.6.2.tgz, lodash.template-4.4.0.tgz, lodash-4.17.10.tgz

lodash.template-3.6.2.tgz

The modern build of lodash’s `_.template` as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz

Path to dependency file: /extensions/vscode-test-resolver/package.json

Path to vulnerable library: /extensions/vscode-test-resolver/node_modules/lodash.template/package.json,/extensions/vscode-colorize-tests/node_modules/lodash.template/package.json,/extensions/emmet/node_modules/lodash.template/package.json,/extensions/vscode-api-tests/node_modules/lodash.template/package.json,/build/node_modules/lodash.template/package.json,/extensions/markdown-language-features/node_modules/lodash.template/package.json

Dependency Hierarchy:

  • vscode-1.1.5.tgz (Root Library)
    • gulp-filter-5.0.1.tgz
      • gulp-util-3.0.8.tgz
        • lodash.template-3.6.2.tgz (Vulnerable Library)
lodash.template-4.4.0.tgz

The lodash method `_.template` exported as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash.template/package.json

Dependency Hierarchy:

  • gulp-shell-0.6.5.tgz (Root Library)
    • lodash.template-4.4.0.tgz (Vulnerable Library)
lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /extensions/vscode-api-tests/package.json

Path to vulnerable library: /extensions/vscode-api-tests/node_modules/lodash/package.json,/extensions/vscode-colorize-tests/node_modules/lodash/package.json

Dependency Hierarchy:

  • mocha-multi-reporters-1.1.7.tgz (Root Library)
    • lodash-4.17.10.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (vscode): 1.1.18

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp-shell): 0.7.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (mocha-multi-reporters): 1.5.0

Step up your Open Source Security Game with WhiteSource here

DepShield encountered errors while building your project

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.

* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.memoize:4.1.2

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

gulp-cssnano:2.1.3
        └─ cssnano:3.10.0
              └─ postcss-merge-rules:2.1.2
                    └─ caniuse-api:1.6.1
                          └─ lodash.memoize:4.1.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2016-10540 (High) detected in minimatch-0.3.0.tgz - autoclosed

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Library - minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json,/extensions/vscode-notebook-tests/node_modules/minimatch/package.json,/extensions/emmet/node_modules/minimatch/package.json,/extensions/vscode-custom-editor-tests/node_modules/minimatch/package.json

Dependency Hierarchy:

  • mocha-2.5.3.tgz (Root Library)
    • glob-3.2.11.tgz
      • minimatch-0.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-05-31

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (mocha): 3.0.0-0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 8.8) Vulnerability due to usage of growl:1.9.2

Vulnerabilities

DepShield reports that this application's usage of growl:1.9.2 results in the following vulnerability(s):

Occurrences

growl:1.9.2 is a transitive dependency introduced by the following direct dependency(s):

mocha:2.5.3
        └─ growl:1.9.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-15168 (Medium) detected in node-fetch-2.6.0.tgz

CVE-2020-15168 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Path to dependency file: /extensions/microsoft-authentication/package.json

Path to vulnerable library: /extensions/microsoft-authentication/package.json,/extensions/github-authentication/package.json,/extensions/github/package.json

Dependency Hierarchy:

  • node-fetch-2.6.0.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.3) Vulnerability due to usage of axios:0.19.2

Vulnerabilities

DepShield reports that this application's usage of axios:0.19.2 results in the following vulnerability(s):

Occurrences

axios:0.19.2 is a transitive dependency introduced by the following direct dependency(s):

tas-client:0.0.950
        └─ axios:0.19.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of ssri:5.3.0

Vulnerabilities

DepShield reports that this application's usage of ssri:5.3.0 results in the following vulnerability(s):

Occurrences

ssri:5.3.0 is a transitive dependency introduced by the following direct dependency(s):

copy-webpack-plugin:4.6.0
        └─ cacache:10.0.4
              └─ ssri:5.3.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.clone:4.5.0

Vulnerabilities

DepShield reports that this application's usage of lodash.clone:4.5.0 results in the following vulnerability(s):

Occurrences

lodash.clone:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

webpack-stream:5.2.1
        └─ lodash.clone:4.5.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2018-3774 (High) detected in url-parse-1.2.0.tgz - autoclosed

CVE-2018-3774 - High Severity Vulnerability

Vulnerable Library - url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Path to dependency file: /extensions/vscode-api-tests/package.json

Path to vulnerable library: /extensions/vscode-api-tests/node_modules/url-parse/package.json,/extensions/vscode-colorize-tests/node_modules/url-parse/package.json

Dependency Hierarchy:

  • vscode-1.1.5.tgz (Root Library)
    • url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (vscode): 1.1.6

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /remote/package.json

Path to vulnerable library: /remote/package.json

Dependency Hierarchy:

  • spdlog-0.11.1.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (spdlog): 0.12.0

Step up your Open Source Security Game with Mend here

CVE-2018-20834 (High) detected in tar-0.1.20.tgz, tar-2.2.1.tgz - autoclosed

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Libraries - tar-0.1.20.tgz, tar-2.2.1.tgz

tar-0.1.20.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz

Path to dependency file: /extensions/emmet/package.json

Path to vulnerable library: /extensions/emmet/node_modules/tar/package.json

Dependency Hierarchy:

  • vscode-1.0.1.tgz (Root Library)
    • gulp-untar-0.0.4.tgz
      • tar-0.1.20.tgz (Vulnerable Library)
tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /extensions/vscode-test-resolver/package.json

Path to vulnerable library: /extensions/vscode-test-resolver/node_modules/tar/package.json,/extensions/vscode-api-tests/node_modules/tar/package.json,/extensions/vscode-colorize-tests/node_modules/tar/package.json

Dependency Hierarchy:

  • vscode-1.1.5.tgz (Root Library)
    • gulp-untar-0.0.6.tgz
      • tar-2.2.1.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (vscode): 1.1.0

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (vscode): 1.1.6

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 9.0) Vulnerability due to usage of serialize-javascript:1.9.1

Vulnerabilities

DepShield reports that this application's usage of serialize-javascript:1.9.1 results in the following vulnerability(s):

Occurrences

serialize-javascript:1.9.1 is a transitive dependency introduced by the following direct dependency(s):

copy-webpack-plugin:4.6.0
        └─ serialize-javascript:1.9.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-23364 (Medium) detected in browserslist-4.16.1.tgz - autoclosed

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.16.1.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.1.tgz

Path to dependency file: vscode/yarn.lock

Path to vulnerable library: vscode/yarn.lock

Dependency Hierarchy:

  • cssnano-4.1.10.tgz (Root Library)
    • cssnano-preset-default-4.0.7.tgz
      • postcss-reduce-initial-4.0.3.tgz
        • caniuse-api-3.0.0.tgz
          • browserslist-4.16.1.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28168 (Medium) detected in axios-0.19.2.tgz

CVE-2020-28168 - Medium Severity Vulnerability

Vulnerable Library - axios-0.19.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • tas-client-0.0.950.tgz (Root Library)
    • axios-0.19.2.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (tas-client): 0.1.16

Step up your Open Source Security Game with Mend here

WS-2018-0625 (High) detected in xmlbuilder-0.4.3.tgz, xmlbuilder-9.0.4.tgz - autoclosed

WS-2018-0625 - High Severity Vulnerability

Vulnerable Libraries - xmlbuilder-0.4.3.tgz, xmlbuilder-9.0.4.tgz

xmlbuilder-0.4.3.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-0.4.3.tgz

Path to dependency file: /build/package.json

Path to vulnerable library: /build/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

  • azure-storage-2.6.0.tgz (Root Library)
    • xmlbuilder-0.4.3.tgz (Vulnerable Library)
xmlbuilder-9.0.4.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-9.0.4.tgz

Path to dependency file: /build/package.json

Path to vulnerable library: /build/node_modules/xmlbuilder/package.json,/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

  • xml2js-0.4.19.tgz (Root Library)
    • xmlbuilder-9.0.4.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: oozcitak/xmlbuilder-js@bbf929a

Release Date: 2018-02-08

Fix Resolution (xmlbuilder): 9.0.5

Direct dependency fix Resolution (azure-storage): 2.10.2

Fix Resolution (xmlbuilder): 9.0.5

Direct dependency fix Resolution (xml2js): 0.4.20

Step up your Open Source Security Game with WhiteSource here

CVE-2021-32640 (Medium) detected in ws-7.4.4.tgz - autoclosed

CVE-2021-32640 - Medium Severity Vulnerability

Vulnerable Library - ws-7.4.4.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws/package.json

Dependency Hierarchy:

  • playwright-1.9.2.tgz (Root Library)
    • ws-7.4.4.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 7.4.6

Direct dependency fix Resolution (playwright): 1.10.0-1616532968000

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._reinterpolate:3.0.0

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

gulp-shell:0.6.5
        └─ lodash.template:4.5.0
              └─ lodash._reinterpolate:3.0.0
              └─ lodash.templatesettings:4.2.0
                    └─ lodash._reinterpolate:3.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

WS-2020-0042 (High) detected in acorn-6.0.7.tgz - autoclosed

WS-2020-0042 - High Severity Vulnerability

Vulnerable Library - acorn-6.0.7.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/acorn/package.json

Dependency Hierarchy:

  • gulp-eslint-5.0.0.tgz (Root Library)
    • eslint-5.13.0.tgz
      • espree-5.0.0.tgz
        • acorn-6.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (gulp-eslint): 6.0.0

Step up your Open Source Security Game with WhiteSource here

WS-2018-0084 (High) detected in sshpk-1.13.1.tgz - autoclosed

WS-2018-0084 - High Severity Vulnerability

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: vscode/extensions/vscode-api-tests/package.json

Path to vulnerable library: vscode/extensions/vscode-api-tests/node_modules/sshpk/package.json,vscode/extensions/emmet/node_modules/sshpk/package.json,vscode/extensions/markdown-language-features/node_modules/sshpk/package.json,vscode/extensions/vscode-colorize-tests/node_modules/sshpk/package.json

Dependency Hierarchy:

  • vscode-1.1.5.tgz (Root Library)
    • request-2.83.0.tgz
      • http-signature-1.2.0.tgz
        • sshpk-1.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.isundefined:3.0.1

Vulnerabilities

DepShield reports that this application's usage of lodash.isundefined:3.0.1 results in the following vulnerability(s):

Occurrences

lodash.isundefined:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

vscode-nsfw:1.2.8
        └─ lodash.isundefined:3.0.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-23358 (High) detected in underscore-1.9.1.tgz, underscore-1.8.3.tgz - autoclosed

CVE-2021-23358 - High Severity Vulnerability

Vulnerable Libraries - underscore-1.9.1.tgz, underscore-1.8.3.tgz

underscore-1.9.1.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz

Path to dependency file: /build/package.json

Path to vulnerable library: /build/node_modules/underscore/package.json

Dependency Hierarchy:

  • vsce-1.48.0.tgz (Root Library)
    • vso-node-api-6.1.2-preview.tgz
      • underscore-1.9.1.tgz (Vulnerable Library)
underscore-1.8.3.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz

Path to dependency file: /build/package.json

Path to vulnerable library: /build/node_modules/underscore/package.json,/node_modules/underscore/package.json

Dependency Hierarchy:

  • vsce-1.48.0.tgz (Root Library)
    • vso-node-api-6.1.2-preview.tgz
      • typed-rest-client-0.9.0.tgz
        • underscore-1.8.3.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution (underscore): 1.12.1

Direct dependency fix Resolution (vsce): 1.88.0

Fix Resolution (underscore): 1.12.1

Direct dependency fix Resolution (vsce): 1.88.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz - autoclosed

CVE-2019-10746 - High Severity Vulnerability

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mixin-deep/package.json

Dependency Hierarchy:

  • webpack-4.43.0.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 9fd6b056a06e14655f4f0b0f631d670b24878828

Found in base branch: webview-views

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (webpack): 4.44.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of browserify-mime:1.2.9

Vulnerabilities

DepShield reports that this application's usage of browserify-mime:1.2.9 results in the following vulnerability(s):

Occurrences

browserify-mime:1.2.9 is a transitive dependency introduced by the following direct dependency(s):

gulp-azure-storage:0.10.0
        └─ azure-storage:2.10.3
              └─ browserify-mime:1.2.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:5.1.0

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

gulp:4.0.2
        └─ gulp-cli:2.3.0
              └─ array-sort:1.0.0
                    └─ kind-of:5.1.0
                    └─ default-compare:1.0.0
                          └─ kind-of:5.1.0

ts-loader:4.5.0
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ kind-of:5.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of mocha:2.5.3

Vulnerabilities

DepShield reports that this application's usage of mocha:2.5.3 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.uniq:4.5.0

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

gulp-cssnano:2.1.3
        └─ cssnano:3.10.0
              └─ postcss-merge-rules:2.1.2
                    └─ caniuse-api:1.6.1
                          └─ lodash.uniq:4.5.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.6.9

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

electron:11.2.2
        └─ extract-zip:1.7.0
              └─ debug:2.6.9

mocha-junit-reporter:1.23.3
        └─ debug:2.6.9

ts-loader:4.5.0
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ debug:2.6.9
              └─ snapdragon:0.8.2
                    └─ debug:2.6.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.2.0

Vulnerabilities

DepShield reports that this application's usage of debug:2.2.0 results in the following vulnerability(s):

Occurrences

debug:2.2.0 is a transitive dependency introduced by the following direct dependency(s):

mocha:2.5.3
        └─ debug:2.2.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of diff:1.4.0

Vulnerabilities

DepShield reports that this application's usage of diff:1.4.0 results in the following vulnerability(s):

Occurrences

diff:1.4.0 is a transitive dependency introduced by the following direct dependency(s):

mocha:2.5.3
        └─ diff:1.4.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7788 (High) detected in ini-1.3.5.tgz - autoclosed

CVE-2020-7788 - High Severity Vulnerability

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /extensions/github-authentication/package.json

Path to vulnerable library: /extensions/github-authentication/node_modules/ini/package.json,/extensions/microsoft-authentication/node_modules/ini/package.json

Dependency Hierarchy:

  • keytar-4.4.2.tgz (Root Library)
    • keytar-5.0.0.tgz
      • prebuild-install-5.3.3.tgz
        • rc-1.2.8.tgz
          • ini-1.3.5.tgz (Vulnerable Library)

Found in base branch: webview-views

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.some:4.6.0

Vulnerabilities

DepShield reports that this application's usage of lodash.some:4.6.0 results in the following vulnerability(s):

Occurrences

lodash.some:4.6.0 is a transitive dependency introduced by the following direct dependency(s):

webpack-stream:5.2.1
        └─ lodash.some:4.6.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.