Sponsor devs on github but using crypto and streaming per second.
Home Page: https://sponsor-zhyd1997.vercel.app
Video Show (on mobile
pnpm install
cp .env.example .env
# add your Infura API key (Superfluid SDK needs it)
# add your Alchemy API key (get ERC-20 token balances)
pnpm run devadd FUNDING.yml in your github repo.
add https://sponsor-zhyd1997.vercel.app/<your ENS name or wallet address> at custom field.
Sponsor button at github repo page (if the user set FUNDING.yml file) to start.
Vulnerable Library - styled-11.10.5.tgz
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (styled version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-46175 |  High |
8.8 | json5-2.2.1.tgz | Transitive | 11.10.6 |
CVE-2022-46175JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@types/react, @types/react-dom)package.json
@emotion/react ^11.10.5@emotion/styled ^11.10.5@mui/icons-material ^5.10.9@mui/lab 5.0.0-alpha.106@mui/material ^5.10.12@rainbow-me/rainbowkit ^0.8.0@superfluid-finance/sdk-core ^0.5.7@types/node 18.11.9@types/react 18.0.25@types/react-dom 18.0.9@vercel/analytics ^0.1.3alchemy-sdk ^2.2.0ethers ^5.7.2graphql ^16.6.0next 13.0.1react 18.2.0react-dom 18.2.0react-toastify ^9.1.1sharp ^0.31.2typescript 4.8.4wagmi ^0.8.5
Vulnerable Library - rainbowkit-0.8.0.tgz
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (rainbowkit version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-41713 |  Medium |
5.3 | deep-object-diff-1.1.7.tgz | Transitive | 0.8.1 |
CVE-2022-41713Deep diffs two objects, including nested structures of arrays and objects, and return the difference.
Library home page: https://registry.npmjs.org/deep-object-diff/-/deep-object-diff-1.1.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the 'proto' property to be edited.
Publish Date: 2022-11-03
URL: CVE-2022-41713
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-03
Fix Resolution (deep-object-diff): 1.1.9
Direct dependency fix Resolution (@rainbow-me/rainbowkit): 0.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - sdk-core-0.5.7.tgz
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (sdk-core version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2023-30542 | High |
8.8 | contracts-4.7.3.tgz | Transitive | N/A* | |
| CVE-2022-25901 | High |
7.5 | cookiejar-2.1.3.tgz | Transitive | N/A* | |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-4.1.0.tgz | Transitive | N/A* | |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | |
| CVE-2022-33987 | Medium |
5.3 | got-9.6.0.tgz | Transitive | N/A* | |
| CVE-2020-7608 | Medium |
5.3 | yargs-parser-2.4.1.tgz | Transitive | N/A* | |
| CVE-2023-30541 | Medium |
5.3 | contracts-4.7.3.tgz | Transitive | N/A* |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2023-30542Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures and calldatas parameters.
Publish Date: 2023-04-16
URL: CVE-2023-30542
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-93hq-5wgc-jc82
Release Date: 2023-04-16
Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
CVE-2022-25901simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution: cookiejar - 2.1.4
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
CVE-2023-30541Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.
Publish Date: 2023-04-17
URL: CVE-2023-30541
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mx2q-35m2-x2rh
Release Date: 2023-04-17
Fix Resolution: @openzeppelin/contracts - 4.8.3, @openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - wagmi-0.8.5.tgz
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (wagmi version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-38900 | High |
7.5 | decode-uri-component-0.2.0.tgz | Transitive | 0.8.6 | |
| CVE-2023-25166 | Medium |
6.5 | formula-3.0.0.tgz | Transitive | 0.8.6 |
CVE-2022-38900A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Dependency Hierarchy:
Found in base branch: main
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
CVE-2023-25166Math and string formula parser.
Library home page: https://registry.npmjs.org/@sideway/formula/-/formula-3.0.0.tgz
Dependency Hierarchy:
Found in base branch: main
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.
Publish Date: 2023-02-08
URL: CVE-2023-25166
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25166
Release Date: 2023-02-08
Fix Resolution (@sideway/formula): 3.0.1
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.