Git Product home page Git Product logo

vue-devtools's Introduction

vue-devtools

screenshot

Installation

Important Usage Notes

  1. If the page uses a production/minified build of Vue.js, devtools inspection is disabled by default so the Vue pane won't show up.

  2. To make it work for pages opened via file:// protocol, you need to check "Allow access to file URLs" for this extension in Chrome's extension management panel.

  3. The events tab only show custom events emitted by a component. More information on custom events can be found in the documentation.

Open component in editor

To enable this feature, follow this guide.

Manual Installation

This is only necessary when you want to build the extension with the source repo to get not-yet-released features.

Make sure you are using Node 6+ and NPM 3+

  1. Clone this repo
  2. cd vue-devtools the newly created folder
  3. run yarn install
  4. then run yarn run build
  5. Open the Chrome extension page (currently under Menu > More Tools > Extensions)
  6. Check "developer mode" on the top-right corner
  7. Click the "load unpacked" button on the left, and choose the folder: vue-devtools/packages/shell-chrome/
  8. Alternatively to step 3, you can also use yarn dev:chrome to build & watch the unpacked extension

Development

  1. Clone this repo
  2. run yarn install
  3. then run yarn run dev
  4. A plain shell with a test app will be available at localhost:8100.

Testing as Firefox addon

  1. Install web-ext

    $ yarn global add web-ext

    Also, make sure PATH is set up. Something like this in ~/.bash_profile:

    $ PATH=$PATH:$(yarn global bin)

  2. Build and run in Firefox

    $ yarn run build
$ yarn run run:firefox

Force enable the devtools

// Before you create app
Vue.config.devtools = process.env.NODE_ENV === 'development'

// After you create app
window.__VUE_DEVTOOLS_GLOBAL_HOOK__.Vue = app.constructor

// then had to add in ./store.js as well.
Vue.config.devtools = process.env.NODE_ENV === 'development'

Common problems and how to fix

  1. Fixing "Download the Vue Devtools for a better development experience" console message when working locally over file:// protocol: 1.1 - Google Chrome: Right click on vue-devtools icon and click "Manage Extensions" then search for vue-devtools on the extensions list. Check the "Allow access to file URLs" box.

  2. How to use the devtools in IE/Edge/Safari or any other browser? Get the standalone Electron app (works with any environment!)

License

MIT

vue-devtools's People

Contributors

1099511627776 avatar akryum avatar andreiglingeanu avatar anteriovieira avatar aprouja1 avatar bajzarpa avatar bartlomieju avatar clarkbw avatar crswll avatar dependabot[bot] avatar dr-itz avatar e-krebs avatar emanuelmutschlechner avatar hootlex avatar leodt avatar manico avatar markussorg avatar michalsnik avatar misenhower avatar posva avatar sbward avatar simplesmiler avatar snyk-bot avatar sp1ker avatar tsoftware-org avatar unclebill avatar yuyz0112 avatar yyx990803 avatar zigomir avatar znck avatar

Stargazers

avatar

Watchers

avatar

vue-devtools's Issues

CVE-2023-45857 (Medium) detected in axios-0.21.1.tgz

CVE-2023-45857 - Medium Severity Vulnerability

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: axios - 1.6.0

Step up your Open Source Security Game with Mend here

CVE-2022-0155 (Medium) detected in follow-redirects-1.13.3.tgz

CVE-2022-0155 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.13.3.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz
        • follow-redirects-1.13.3.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (start-server-and-test): 1.12.1

Step up your Open Source Security Game with Mend here

CVE-2020-8203 (High) detected in lodash-4.17.15.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (cypress): 4.11.0

Step up your Open Source Security Game with Mend here

CVE-2024-28849 (Medium) detected in follow-redirects-1.13.3.tgz

CVE-2024-28849 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.13.3.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz
        • follow-redirects-1.13.3.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-14

URL: CVE-2024-28849

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cxjh-pqwp-8mfp

Release Date: 2024-03-14

Fix Resolution: follow-redirects - 1.15.6

Step up your Open Source Security Game with Mend here

CVE-2021-3749 (High) detected in axios-0.21.1.tgz

CVE-2021-3749 - High Severity Vulnerability

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

Release Date: 2021-08-31

Fix Resolution (axios): 0.21.2

Direct dependency fix Resolution (start-server-and-test): 1.12.1

Step up your Open Source Security Game with Mend here

CVE-2022-24785 (High) detected in moment-2.24.0.tgz

CVE-2022-24785 - High Severity Vulnerability

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • moment-2.24.0.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (cypress): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2021-3918 (Critical) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - Critical Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • request-2.88.0.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (cypress): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz, minimist-1.2.0.tgz

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (eslint): 6.0.0

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (cypress): 4.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-24999 (High) detected in qs-6.5.2.tgz

CVE-2022-24999 - High Severity Vulnerability

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • request-2.88.0.tgz
      • qs-6.5.2.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (cypress): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2017-16137 (Low) detected in debug-3.2.6.tgz

CVE-2017-16137 - Low Severity Vulnerability

Vulnerable Library - debug-3.2.6.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-3.2.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/debug/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • debug-3.2.6.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (cypress): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-42581 (Critical) detected in ramda-0.24.1.tgz

CVE-2021-42581 - Critical Severity Vulnerability

Vulnerable Library - ramda-0.24.1.tgz

A practical functional library for JavaScript programmers.

Library home page: https://registry.npmjs.org/ramda/-/ramda-0.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ramda/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • ramda-0.24.1.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "proto") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.

Publish Date: 2022-05-10

URL: CVE-2021-42581

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42581

Release Date: 2022-05-10

Fix Resolution (ramda): 0.27.1

Direct dependency fix Resolution (cypress): 6.6.0

Step up your Open Source Security Game with Mend here

CVE-2021-23364 (Medium) detected in browserslist-4.16.3.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist/package.json

Dependency Hierarchy:

  • autoprefixer-9.8.6.tgz (Root Library)
    • browserslist-4.16.3.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (autoprefixer): 9.8.7

Step up your Open Source Security Game with Mend here

CVE-2023-26136 (Critical) detected in tough-cookie-2.4.3.tgz

CVE-2023-26136 - Critical Severity Vulnerability

Vulnerable Library - tough-cookie-2.4.3.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • request-2.88.0.tgz
      • tough-cookie-2.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (cypress): 4.2.0

Step up your Open Source Security Game with Mend here

CVE-2022-0536 (Medium) detected in follow-redirects-1.13.3.tgz

CVE-2022-0536 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.13.3.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz
        • follow-redirects-1.13.3.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (start-server-and-test): 1.12.1

Step up your Open Source Security Game with Mend here

CVE-2021-23337 (High) detected in lodash-4.17.15.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (cypress): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-28155 (Medium) detected in request-2.88.0.tgz

CVE-2023-28155 - Medium Severity Vulnerability

Vulnerable Library - request-2.88.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • request-2.88.0.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-28500 (Medium) detected in lodash-4.17.15.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (cypress): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2022-31129 (High) detected in moment-2.24.0.tgz

CVE-2022-31129 - High Severity Vulnerability

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • moment-2.24.0.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution (moment): 2.29.4

Direct dependency fix Resolution (cypress): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2021-44906 (Critical) detected in multiple libraries

CVE-2021-44906 - Critical Severity Vulnerability

Vulnerable Libraries - minimist-1.2.5.tgz, minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wait-on/node_modules/minimist/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • minimist-1.2.5.tgz (Vulnerable Library)
minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • mkdirp-0.5.1.tgz
      • minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • minimist-1.2.0.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (start-server-and-test): 1.12.1

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (eslint): 6.0.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (cypress): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-26159 (Medium) detected in follow-redirects-1.13.3.tgz

CVE-2023-26159 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.13.3.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz
        • follow-redirects-1.13.3.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution (follow-redirects): 1.15.4

Direct dependency fix Resolution (start-server-and-test): 1.12.1

Step up your Open Source Security Game with Mend here

CVE-2023-25166 (Medium) detected in formula-3.0.0.tgz

CVE-2023-25166 - Medium Severity Vulnerability

Vulnerable Library - formula-3.0.0.tgz

Math and string formula parser.

Library home page: https://registry.npmjs.org/@sideway/formula/-/formula-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@sideway/formula/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • joi-17.4.0.tgz
        • formula-3.0.0.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.

Publish Date: 2023-02-08

URL: CVE-2023-25166

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-25166

Release Date: 2023-02-08

Fix Resolution (@sideway/formula): 3.0.1

Direct dependency fix Resolution (start-server-and-test): 1.12.1

Step up your Open Source Security Game with Mend here

CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - High Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • resolve-1.20.0.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (eslint-plugin-import): 2.23.0

Step up your Open Source Security Game with Mend here

CVE-2022-1214 (High) detected in axios-0.21.1.tgz - autoclosed

CVE-2022-1214 - High Severity Vulnerability

Vulnerable Library - axios-0.21.1.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • start-server-and-test-1.12.0.tgz (Root Library)
    • wait-on-5.2.1.tgz
      • axios-0.21.1.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution: axios - v0.26.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz

CVE-2021-23362 - Medium Severity Vulnerability

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hosted-git-info/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • read-pkg-up-2.0.0.tgz
      • read-pkg-2.0.0.tgz
        • normalize-package-data-2.5.0.tgz
          • hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (eslint-plugin-import): 2.23.0

Step up your Open Source Security Game with Mend here

WS-2017-3738 (Medium) detected in vue-1.0.28.js - autoclosed

WS-2017-3738 - Medium Severity Vulnerability

Vulnerable Library - vue-1.0.28.js

Simple, Fast & Composable MVVM for building interactive interfaces

Library home page: https://cdnjs.cloudflare.com/ajax/libs/vue/1.0.28/vue.js

Path to dependency file: /vue1-test.html

Path to vulnerable library: /vue1-test.html

Dependency Hierarchy:

  • vue-1.0.28.js (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Vue-Project before version 2.3.0-beta.1 has a possible xss vulnerability.

Publish Date: 2017-04-01

URL: WS-2017-3738

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-04-01

Fix Resolution: 2.3.0-beta.1

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/inquirer/node_modules/strip-ansi/node_modules/ansi-regex/package.json,/node_modules/table/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • table-5.4.6.tgz
      • string-width-3.1.0.tgz
        • strip-ansi-5.2.0.tgz
          • ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/inquirer/node_modules/ansi-regex/package.json,/node_modules/eslint/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • strip-ansi-4.0.0.tgz
      • ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (eslint): 6.0.0

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (eslint): 6.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-26115 (High) detected in word-wrap-1.2.3.tgz

CVE-2023-26115 - High Severity Vulnerability

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/word-wrap/package.json

Dependency Hierarchy:

  • eslint-5.16.0.tgz (Root Library)
    • optionator-0.8.3.tgz
      • word-wrap-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution: word-wrap - 1.2.4

Step up your Open Source Security Game with Mend here

CVE-2021-43138 (High) detected in async-2.6.1.tgz

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-2.6.1.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

  • cypress-3.8.3.tgz (Root Library)
    • getos-3.1.1.tgz
      • async-2.6.1.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (cypress): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25883 (High) detected in semver-5.7.1.tgz

CVE-2022-25883 - High Severity Vulnerability

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

  • semver-5.7.1.tgz (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: 5.7.2

Step up your Open Source Security Game with Mend here

WS-2018-0596 (Low) detected in vue-1.0.28.js - autoclosed

WS-2018-0596 - Low Severity Vulnerability

Vulnerable Library - vue-1.0.28.js

Simple, Fast & Composable MVVM for building interactive interfaces

Library home page: https://cdnjs.cloudflare.com/ajax/libs/vue/1.0.28/vue.js

Path to dependency file: /vue1-test.html

Path to vulnerable library: /vue1-test.html

Dependency Hierarchy:

  • vue-1.0.28.js (Vulnerable Library)

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

Vue-Project before version 2.5.14 has a potential regex backtrack vulnerability.

Publish Date: 2018-02-21

URL: WS-2018-0596

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-21

Fix Resolution: 2.5.14

Step up your Open Source Security Game with Mend here

CVE-2022-46175 (High) detected in json5-1.0.1.tgz

CVE-2022-46175 - High Severity Vulnerability

Vulnerable Library - json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.22.1.tgz (Root Library)
    • tsconfig-paths-3.9.0.tgz
      • json5-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 9b26e1c9a9f29acb59a28a7c236e5fcfbbdda156

Found in base branch: dependabot/npm_and_yarn/electron-9.4.0

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (eslint-plugin-import): 2.23.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.