Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• @babel/cli:7.10.5
        └─ chokidar:2.1.8
              └─ braces:2.3.2
                    └─ snapdragon:0.8.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency @storybook/test-runner to v0.16.0

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Here's the Weekly Digest for 9renpoto/all-star-thanks:

ISSUES

Last week 4 issues were created.
Of these, 4 issues have been closed and 0 issues are still open.

CLOSED ISSUES

❤️ #398 feat(.github) Added auto assign, by 9renpoto
❤️ #397 Update dependency eslint to v6, by renovate[bot]
❤️ #396 Update storybook monorepo to v5.1.9, by renovate[bot]
❤️ #395 Update dependency prettier-eslint-cli to v5, by renovate[bot]

NOISY ISSUE

🔈 #396 Update storybook monorepo to v5.1.9, by renovate[bot]
It received 1 comments.

PULL REQUESTS

Last week, 5 pull requests were created, updated or merged.

MERGED PULL REQUEST

Last week, 5 pull requests were merged.
💜 #398 feat(.github) Added auto assign, by 9renpoto
💜 #397 Update dependency eslint to v6, by renovate[bot]
💜 #396 Update storybook monorepo to v5.1.9, by renovate[bot]
💜 #395 Update dependency prettier-eslint-cli to v5, by renovate[bot]
💜 #387 Update dependency flow-bin to v0.101.1, by renovate[bot]

COMMITS

Last week there were 7 commits.
🛠️ Update dependency eslint to v6 by renovate-bot
🛠️ Merge pull request #398 from 9renpoto/fix/assignee feat(.github) Added auto assign by 9renpoto
🛠️ feat(.github) Added auto assign by 9renpoto
🛠️ Merge pull request #387 from 9renpoto/renovate/flow-bin-0.x Update dependency flow-bin to v0.101.1 by 9renpoto
🛠️ Update dependency flow-bin to v0.101.1 by renovate-bot
🛠️ Update storybook monorepo to v5.1.9 by renovate-bot
🛠️ Update dependency prettier-eslint-cli to v5 by renovate-bot

CONTRIBUTORS

Last week there were 2 contributors.
👤 renovate-bot
👤 9renpoto

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and ⭐ Star the repository 9renpoto/all-star-thanks to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Vulnerabilities

DepShield reports that this application's usage of lodash.isplainobject:4.0.6 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isplainobject:4.0.6 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:4.0.8
        └─ @storybook/core:4.0.8
              └─ babel-preset-minify:0.5.0
                    └─ lodash.isplainobject:4.0.6

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:23.6.0
        └─ jest-cli:23.6.0
              └─ jest-environment-jsdom:23.4.0
                    └─ jsdom:11.12.0
                          └─ data-urls:1.1.0
                                └─ whatwg-url:7.0.0
                                      └─ lodash.sortby:4.7.0
                          └─ whatwg-url:6.5.0
                                └─ lodash.sortby:4.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• @babel/cli:7.10.5
        └─ chokidar:2.1.8
              └─ braces:2.3.2
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ has-value:1.0.0
                                            └─ has-values:1.0.0
                                                  └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• husky:1.3.1
        └─ cosmiconfig:5.1.0
              └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isequal:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isequal:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.0.0
        └─ @storybook/core:5.0.0
              └─ @storybook/client-api:5.0.0
                    └─ lodash.isequal:4.5.0
              └─ @storybook/ui:5.0.0
                    └─ lodash.isequal:4.5.0
        └─ @storybook/theming:5.0.0
              └─ lodash.isequal:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of acorn:6.4.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:6.4.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.3.19
        └─ webpack:4.43.0
              └─ acorn:6.4.1

• jest:25.5.4
        └─ @jest/core:25.5.4
              └─ jest-config:25.5.4
                    └─ jest-environment-jsdom:25.5.0
                          └─ jsdom:15.2.1
                                └─ acorn-globals:4.3.4
                                      └─ acorn:6.4.1

• prettier-eslint-cli:5.0.0
        └─ eslint:5.16.0
              └─ espree:5.0.1
                    └─ acorn:6.4.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.flatten:4.4.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.flatten:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

• snyk:1.167.2
        └─ snyk-resolve-deps:4.0.3
              └─ lodash.flatten:4.4.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.clone:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.clone:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• snyk:1.167.2
        └─ snyk-resolve-deps:4.0.3
              └─ lodash.clone:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:2.0.1 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:2.0.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.3.19
        └─ @svgr/webpack:4.3.3
              └─ @svgr/plugin-svgo:4.3.1
                    └─ merge-deep:3.0.2
                          └─ clone-deep:0.2.4
                                └─ shallow-clone:0.1.2
                                      └─ kind-of:2.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.pick:4.4.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.pick:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.0.0
        └─ @storybook/core:5.0.0
              └─ @storybook/ui:5.0.0
                    └─ @storybook/components:5.0.0
                          └─ lodash.pick:4.4.0
                    └─ lodash.pick:4.4.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.assignin:4.2.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.assignin:4.2.0 is a transitive dependency introduced by the following direct dependency(s):

• snyk:1.167.2
        └─ snyk-resolve-deps:4.0.3
              └─ lodash.assignin:4.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of acorn:5.7.4 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:5.7.4 is a transitive dependency introduced by the following direct dependency(s):

• prettier-eslint-cli:5.0.0
        └─ prettier-eslint:9.0.2
              └─ vue-eslint-parser:2.0.3
                    └─ espree:3.5.4
                          └─ acorn:5.7.4

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• @babel/cli:7.10.5
        └─ chokidar:2.1.8
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ to-object-path:0.3.0
                                            └─ kind-of:3.2.2
                                └─ class-utils:0.3.6
                                      └─ static-extend:0.1.2
                                            └─ object-copy:0.1.0
                                                  └─ kind-of:3.2.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2

• @storybook/react:5.3.19
        └─ @svgr/webpack:4.3.3
              └─ @svgr/plugin-svgo:4.3.1
                    └─ merge-deep:3.0.2
                          └─ clone-deep:0.2.4
                                └─ kind-of:3.2.2
                          └─ kind-of:3.2.2

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ anymatch:1.3.2
                    └─ micromatch:2.3.11
                          └─ braces:1.8.5
                                └─ expand-range:1.8.2
                                      └─ fill-range:2.2.4
                                            └─ is-number:2.1.0
                                                  └─ kind-of:3.2.2
                          └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of acorn:3.3.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:3.3.0 is a transitive dependency introduced by the following direct dependency(s):

• prettier-eslint-cli:5.0.0
        └─ prettier-eslint:9.0.2
              └─ vue-eslint-parser:2.0.3
                    └─ espree:3.5.4
                          └─ acorn-jsx:3.0.1
                                └─ acorn:3.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• snyk:1.167.2
        └─ snyk-policy:1.13.5
              └─ lodash.clonedeep:4.5.0
        └─ snyk-try-require:1.3.1
              └─ lodash.clonedeep:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.assign:4.2.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.assign:4.2.0 is a transitive dependency introduced by the following direct dependency(s):

• flow-typed:2.5.1
        └─ yargs:4.8.1
              └─ lodash.assign:4.2.0
              └─ yargs-parser:2.4.1
                    └─ lodash.assign:4.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Vulnerabilities

DepShield reports that this application's usage of safe-eval:0.4.1 results in the following vulnerability(s):

• (CVSS 9.8) Sandbox Breakout

Occurrences

safe-eval:0.4.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.0.0
        └─ @storybook/core:5.0.0
              └─ @storybook/channel-postmessage:5.0.0
                    └─ telejson:2.1.1
                          └─ safe-eval:0.4.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Vulnerabilities

DepShield reports that this application's usage of lodash.throttle:4.1.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.throttle:4.1.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.0.0
        └─ @storybook/core:5.0.0
              └─ @storybook/ui:5.0.0
                    └─ @storybook/components:5.0.0
                          └─ lodash.throttle:4.1.1
                    └─ lodash.throttle:4.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Here's the Weekly Digest for 9renpoto/all-star-thanks:

ISSUES

Last week 10 issues were created.
Of these, 5 issues have been closed and 5 issues are still open.

OPEN ISSUES

💚 #372 [DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.flatten:4.4.0, by sonatype-depshield[bot]
💚 #371 [DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.assignin:4.2.0, by sonatype-depshield[bot]
💚 #370 [DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.clonedeep:4.5.0, by sonatype-depshield[bot]
💚 #369 [DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.set:4.3.2, by sonatype-depshield[bot]
💚 #368 [DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.clone:4.5.0, by sonatype-depshield[bot]

CLOSED ISSUES

❤️ #376 Update dependency flow-bin to v0.100.0, by renovate[bot]
❤️ #375 Update dependency flow-bin to v0.99.1, by renovate[bot]
❤️ #374 Create SECURITY.md, by 9renpoto
❤️ #373 chore(deps): update dependency flow-bin to v0.99.0, by renovate[bot]
❤️ #367 Update dependency css-modules-flow-types-cli to v1.3.0, by renovate[bot]

NOISY ISSUE

🔈 #373 chore(deps): update dependency flow-bin to v0.99.0, by renovate[bot]
It received 2 comments.

PULL REQUESTS

Last week, 6 pull requests were created, updated or merged.

MERGED PULL REQUEST

Last week, 6 pull requests were merged.
💜 #376 Update dependency flow-bin to v0.100.0, by renovate[bot]
💜 #375 Update dependency flow-bin to v0.99.1, by renovate[bot]
💜 #374 Create SECURITY.md, by 9renpoto
💜 #373 chore(deps): update dependency flow-bin to v0.99.0, by renovate[bot]
💜 #367 Update dependency css-modules-flow-types-cli to v1.3.0, by renovate[bot]
💜 #366 [Snyk] Fix for 3 vulnerable dependencies, by snyk-bot

COMMITS

Last week there were 8 commits.
🛠️ Update dependency flow-bin to v0.100.0 by renovate-bot
🛠️ Update dependency flow-bin to v0.99.1 by renovate-bot
🛠️ Merge pull request #374 from 9renpoto/9renpoto-patch-1 Create SECURITY.md by 9renpoto
🛠️ Create SECURITY.md by 9renpoto
🛠️ Merge pull request #373 from 9renpoto/renovate/flow-bin-0.x chore(deps): update dependency flow-bin to v0.99.0 by 9renpoto
🛠️ chore(deps): update dependency flow-bin to v0.99.0 by renovate-bot
🛠️ Merge pull request #366 from 9renpoto/snyk-fix-al7ll3 [Snyk] Fix for 3 vulnerable dependencies by 9renpoto
🛠️ Update dependency css-modules-flow-types-cli to v1.3.0 by renovate-bot

CONTRIBUTORS

Last week there were 2 contributors.
👤 renovate-bot
👤 9renpoto

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and ⭐ Star the repository 9renpoto/all-star-thanks to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Here's the Weekly Digest for 9renpoto/all-star-thanks:

ISSUES

Last week 7 issues were created.
Of these, 5 issues have been closed and 2 issues are still open.

OPEN ISSUES

💚 #380 [DepShield] (CVSS 7.5) Vulnerability due to usage of express:4.17.1, by sonatype-depshield[bot]
💚 #379 [DepShield] (CVSS 7.5) Vulnerability due to usage of q:1.5.1, by sonatype-depshield[bot]

CLOSED ISSUES

❤️ #384 Update storybook monorepo to v5.1.3, by renovate[bot]
❤️ #383 Update dependency lint-staged to v8.2.0, by renovate[bot]
❤️ #382 Update dependency husky to v2.4.0, by renovate[bot]
❤️ #381 Update dependency url-loader to v2, by renovate[bot]
❤️ #378 Update storybook monorepo to v5.1.1, by renovate[bot]

NOISY ISSUE

🔈 #383 Update dependency lint-staged to v8.2.0, by renovate[bot]
It received 2 comments.

PULL REQUESTS

Last week, 5 pull requests were created, updated or merged.

MERGED PULL REQUEST

Last week, 5 pull requests were merged.
💜 #384 Update storybook monorepo to v5.1.3, by renovate[bot]
💜 #383 Update dependency lint-staged to v8.2.0, by renovate[bot]
💜 #382 Update dependency husky to v2.4.0, by renovate[bot]
💜 #381 Update dependency url-loader to v2, by renovate[bot]
💜 #378 Update storybook monorepo to v5.1.1, by renovate[bot]

COMMITS

Last week there were 5 commits.
🛠️ Update storybook monorepo to v5.1.3 by renovate-bot
🛠️ Update dependency lint-staged to v8.2.0 by renovate-bot
🛠️ Update dependency husky to v2.4.0 by renovate-bot
🛠️ Update dependency url-loader to v2 by renovate-bot
🛠️ Update storybook monorepo to v5.1.1 by renovate-bot

CONTRIBUTORS

Last week there was 1 contributor.
👤 renovate-bot

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and ⭐ Star the repository 9renpoto/all-star-thanks to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.1.1
        └─ @svgr/webpack:4.3.0
              └─ @svgr/plugin-svgo:4.2.0
                    └─ svgo:1.2.2
                          └─ coa:2.0.2
                                └─ q:1.5.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.mergewith:4.6.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.mergewith:4.6.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.0.0
        └─ @storybook/core:5.0.0
              └─ @storybook/client-api:5.0.0
                    └─ lodash.mergewith:4.6.1
              └─ @storybook/ui:5.0.0
                    └─ lodash.mergewith:4.6.1
        └─ @storybook/theming:5.0.0
              └─ lodash.mergewith:4.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Vulnerabilities

DepShield reports that this application's usage of handlebars:4.1.2 results in the following vulnerability(s):

• (CVSS 8.2) CWE-20: Improper Input Validation

Occurrences

handlebars:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• jest:24.9.0
        └─ jest-cli:24.9.0
              └─ @jest/core:24.9.0
                    └─ @jest/reporters:24.9.0
                          └─ istanbul-reports:2.2.6
                                └─ handlebars:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.camelcase:4.3.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.camelcase:4.3.0 is a transitive dependency introduced by the following direct dependency(s):

• microbundle:0.12.3
        └─ rollup-plugin-postcss:2.9.0
              └─ postcss-modules:2.0.0
                    └─ lodash.camelcase:4.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.merge:4.6.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.merge:4.6.1 is a transitive dependency introduced by the following direct dependency(s):

• prettier-eslint-cli:4.7.1
        └─ prettier-eslint:8.8.2
              └─ lodash.merge:4.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Here's the Weekly Digest for 9renpoto/all-star-thanks:

ISSUES

Last week 8 issues were created.
Of these, 7 issues have been closed and 1 issues are still open.

OPEN ISSUES

💚 #387 Update dependency flow-bin to v0.101.0, by renovate[bot]

CLOSED ISSUES

❤️ #393 Update dependency mockdate to v2.0.3, by renovate[bot]
❤️ #392 Update storybook monorepo to v5.1.8, by renovate[bot]
❤️ #391 Update storybook monorepo to v5.1.7, by renovate[bot]
❤️ #390 Update dependency lint-staged to v8.2.1, by renovate[bot]
❤️ #389 Update storybook monorepo to v5.1.4, by renovate[bot]
❤️ #388 Update dependency husky to v2.4.1, by renovate[bot]
❤️ #386 Update dependency css-loader to v3, by renovate[bot]

NOISY ISSUE

🔈 #386 Update dependency css-loader to v3, by renovate[bot]
It received 1 comments.

PULL REQUESTS

Last week, 8 pull requests were created, updated or merged.

UPDATED PULL REQUEST

Last week, 1 pull request was updated.
💛 #387 Update dependency flow-bin to v0.101.0, by renovate[bot]

MERGED PULL REQUEST

Last week, 7 pull requests were merged.
💜 #393 Update dependency mockdate to v2.0.3, by renovate[bot]
💜 #392 Update storybook monorepo to v5.1.8, by renovate[bot]
💜 #391 Update storybook monorepo to v5.1.7, by renovate[bot]
💜 #390 Update dependency lint-staged to v8.2.1, by renovate[bot]
💜 #389 Update storybook monorepo to v5.1.4, by renovate[bot]
💜 #388 Update dependency husky to v2.4.1, by renovate[bot]
💜 #386 Update dependency css-loader to v3, by renovate[bot]

COMMITS

Last week there were 7 commits.
🛠️ Update dependency mockdate to v2.0.3 by renovate-bot
🛠️ Update storybook monorepo to v5.1.8 by renovate-bot
🛠️ Update storybook monorepo to v5.1.7 by renovate-bot
🛠️ Update dependency lint-staged to v8.2.1 by renovate-bot
🛠️ Update storybook monorepo to v5.1.4 by renovate-bot
🛠️ Update dependency husky to v2.4.1 by renovate-bot
🛠️ Update dependency css-loader to v3 by renovate-bot

CONTRIBUTORS

Last week there was 1 contributor.
👤 renovate-bot

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and ⭐ Star the repository 9renpoto/all-star-thanks to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Vulnerabilities

DepShield reports that this application's usage of lodash.set:4.3.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.set:4.3.2 is a transitive dependency introduced by the following direct dependency(s):

• snyk:1.167.2
        └─ snyk-resolve-deps:4.0.3
              └─ lodash.set:4.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/all-star-thanks/node_modules/jest-message-util/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• cpx-1.5.0.tgz (Root Library)
  • chokidar-1.7.0.tgz
    • anymatch-1.3.2.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Step up your Open Source Security Game with WhiteSource here

Here's the Weekly Digest for 9renpoto/all-star-thanks:

ISSUES

Last week 7 issues were created.
Of these, 7 issues have been closed and 0 issues are still open.

CLOSED ISSUES

❤️ #342 Update jest monorepo to v24.7.1, by renovate[bot]
❤️ #341 Update dependency codecov to v3.3.0, by renovate[bot]
❤️ #340 Update jest monorepo to v24.7.0, by renovate[bot]
❤️ #339 Update babel monorepo to v7.4.3, by renovate[bot]
❤️ #338 Update dependency flow-bin to v0.96.0, by renovate[bot]
❤️ #337 Update jest monorepo to v24.6.0, by renovate[bot]
❤️ #336 Update storybook monorepo to v5.0.6, by renovate[bot]

NOISY ISSUE

🔈 #336 Update storybook monorepo to v5.0.6, by renovate[bot]
It received 1 comments.

PULL REQUESTS

Last week, 8 pull requests were created, updated or merged.

MERGED PULL REQUEST

Last week, 8 pull requests were merged.
💜 #342 Update jest monorepo to v24.7.1, by renovate[bot]
💜 #341 Update dependency codecov to v3.3.0, by renovate[bot]
💜 #340 Update jest monorepo to v24.7.0, by renovate[bot]
💜 #339 Update babel monorepo to v7.4.3, by renovate[bot]
💜 #338 Update dependency flow-bin to v0.96.0, by renovate[bot]
💜 #337 Update jest monorepo to v24.6.0, by renovate[bot]
💜 #336 Update storybook monorepo to v5.0.6, by renovate[bot]
💜 #317 Update dependency css-loader to v2.1.1, by renovate[bot]

COMMITS

Last week there were 8 commits.
🛠️ Merge pull request #317 from 9renpoto/renovate/css-loader-2.x Update dependency css-loader to v2.1.1 by 9renpoto
🛠️ Update jest monorepo to v24.7.1 by renovate-bot
🛠️ Update dependency codecov to v3.3.0 by renovate-bot
🛠️ Update jest monorepo to v24.7.0 by renovate-bot
🛠️ Update babel monorepo to v7.4.3 by renovate-bot
🛠️ Update dependency flow-bin to v0.96.0 by renovate-bot
🛠️ Update jest monorepo to v24.6.0 by renovate-bot
🛠️ Update storybook monorepo to v5.0.6 by renovate-bot

CONTRIBUTORS

Last week there were 2 contributors.
👤 9renpoto
👤 renovate-bot

STARGAZERS

Last week there were no stargazers.

RELEASES

Last week there were no releases.

That's all for last week, please 👀 Watch and ⭐ Star the repository 9renpoto/all-star-thanks to receive next weekly updates. 😃

You can also view all Weekly Digests by clicking here.

Your Weekly Digest bot. 📆

Vulnerabilities

DepShield reports that this application's usage of lodash.some:4.6.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.some:4.6.0 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:4.0.9
        └─ @storybook/core:4.0.9
              └─ babel-preset-minify:0.5.0
                    └─ babel-plugin-minify-dead-code-elimination:0.5.0
                          └─ lodash.some:4.6.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of braces:1.8.5 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

braces:1.8.5 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ anymatch:1.3.2
                    └─ micromatch:2.3.11
                          └─ braces:1.8.5

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

express:4.17.1 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:5.1.1
        └─ @storybook/core:5.1.1
              └─ express:4.17.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• prettier-eslint-cli:4.7.1
        └─ lodash.memoize:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• moxci:0.2.0
        └─ @octokit/rest:16.43.1
              └─ lodash.uniq:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency(s):

• @storybook/react:4.0.9
        └─ webpack:4.26.0
              └─ watchpack:1.6.0
                    └─ chokidar:2.0.4
                          └─ lodash.debounce:4.0.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• @9renpoto/eslint-config-flowtype:4.7.0
        └─ @9renpoto/eslint-config:4.7.0
              └─ eslint-plugin-import:2.17.2
                    └─ debug:2.6.9
                    └─ eslint-import-resolver-node:0.3.2
                          └─ debug:2.6.9
                    └─ eslint-module-utils:2.4.0
                          └─ debug:2.6.9

• @storybook/react:5.0.11
        └─ @storybook/core:5.0.11
              └─ detect-port:1.3.0
                    └─ debug:2.6.9
              └─ express:4.17.0
                    └─ body-parser:1.19.0
                          └─ debug:2.6.9
                    └─ debug:2.6.9
                    └─ finalhandler:1.1.2
                          └─ debug:2.6.9
                    └─ send:0.17.1
                          └─ debug:2.6.9
        └─ react-dev-utils:7.0.5
              └─ detect-port-alt:1.1.6
                    └─ debug:2.6.9

• lint-staged:8.1.7
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ debug:2.6.9
              └─ snapdragon:0.8.2
                    └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}