alpersonalwebsite / erc721-smart-contract Goto Github PK
View Code? Open in Web Editor NEWDApp with custom implementation of ERC-721
License: MIT License
DApp with custom implementation of ERC-721
License: MIT License
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault()
on all new-window events where the url
or options
is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4075
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f9mq-jph6-9mhm
Release Date: 2020-07-07
Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 0936b120479c96383e43aa70451bc94ccb0d9381
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/underscore/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
Step up your Open Source Security Game with WhiteSource here
Extracting archives made easy
Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/decompress/package.json
Dependency Hierarchy:
Found in HEAD commit: 0bd9f5421327f7dfc93b48320caff131a442c1c3
decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.
Publish Date: 2020-03-08
URL: WS-2020-0044
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
2.3.0
to 2.4.0
.This version is covered by your current version range and after updating it in your project the build failed.
openzeppelin-solidity is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2019-11358 | #5 |
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 4.3 | WS-2016-0090 | #6 |
There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot 🌴
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution: v1.3.6
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (nodemon): 2.0.0
Step up your Open Source Security Game with WhiteSource here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/git/erc721-smart-contract/smart_contracts/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: b080024d164cbbcc72560834dc5e39f291e6572e
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here
Recursive version of _.defaults
Library home page: https://registry.npmjs.org/deep-defaults/-/deep-defaults-1.0.5.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/deep-defaults/package.json
Dependency Hierarchy:
Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038
Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2021-05-25
URL: CVE-2021-25944
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in HEAD commit: 0bd9f5421327f7dfc93b48320caff131a442c1c3
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Dependency Hierarchy:
Found in HEAD commit: 0936b120479c96383e43aa70451bc94ccb0d9381
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/bl/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution: bl - 1.2.3,2.2.1,3.0.1,4.0.3
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: dd5f42086bee0771658914de31128ac49447cee9
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906
Release Date: 2022-03-17
Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with WhiteSource here
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (nodemon): 2.0.3
Step up your Open Source Security Game with WhiteSource here
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/qs/package.json
Dependency Hierarchy:
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/body-parser/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: dd5f42086bee0771658914de31128ac49447cee9
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
WhiteSource Note: After conducting further research, WhiteSource has determined that versions 0.0.1--6.10.3 of qs are vulnerable to CVE-2021-44907.
Publish Date: 2022-03-17
URL: CVE-2021-44907
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Ethereum JavaScript API
Library home page: https://registry.npmjs.org/web3/-/web3-1.2.1.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/web3/package.json
Dependency Hierarchy:
Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038
All versions of web3 are vulnerable to Insecure Credential Storage
Publish Date: 2019-05-15
URL: WS-2019-0075
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0075
Release Date: 2019-05-15
Fix Resolution: web3 - 1.5.3-rc.0
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.3.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/elliptic/package.json
Dependency Hierarchy:
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: f7bd4ba207ff34cdf6389d4d146e37ea45b4ce9b
The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2
Publish Date: 2019-11-22
URL: WS-2019-0427
Base Score Metrics:
Type: Upgrade version
Origin: indutny/elliptic@ec735ed
Release Date: 2019-11-22
Fix Resolution: v6.5.2
Step up your Open Source Security Game with WhiteSource here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation
and contextBridge
are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4077
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h9jc-284h-533g
Release Date: 2020-07-07
Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with WhiteSource here
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-2.8.1.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/simple-get/package.json
Dependency Hierarchy:
Found in HEAD commit: 11b81b67d7da872135498e6394bdec16aded69ce
Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.
Publish Date: 2022-01-26
URL: CVE-2022-0355
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355
Release Date: 2022-01-26
Fix Resolution: simple-get - 4.0.1
Step up your Open Source Security Game with WhiteSource here
1.0.6
to 1.0.7
.This version is covered by your current version range and after updating it in your project the build failed.
truffle-hdwallet-provider is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.
There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot 🌴
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.3.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/elliptic/package.json
Dependency Hierarchy:
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: f7bd4ba207ff34cdf6389d4d146e37ea45b4ce9b
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution: v6.5.4
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Dependency Hierarchy:
Found in HEAD commit: b9b69a78b2d694ad0343817209db815e1daab964
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/extract-zip/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 0bd9f5421327f7dfc93b48320caff131a442c1c3
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Step up your Open Source Security Game with WhiteSource here
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/snapdragon-util/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/has-values/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/is-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: 7236e90b1c6c757f2f249a0b7fe7d258e070a819
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Step up your Open Source Security Game with WhiteSource here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4076
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m93v-9qjc-3g79
Release Date: 2020-07-07
Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with WhiteSource here
1.19.2
to 1.19.3
.This version is covered by your current version range and after updating it in your project the build failed.
nodemon is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2019-11358 | #5 |
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 4.3 | WS-2016-0090 | #6 |
The new version differs by 1 commits.
eead311
fix: to avoid confusion like in #1528, always report used extension
See the full diff
There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot 🌴
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-2.0.18.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/electron/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
Publish Date: 2020-07-07
URL: CVE-2020-15096
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6vrv-94jv-crrg
Release Date: 2020-07-07
Fix Resolution: electron - 6.1.11,8.2.4,9.0.0-beta.21
Step up your Open Source Security Game with WhiteSource here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 11b81b67d7da872135498e6394bdec16aded69ce
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths
flag is not set to true
. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc
would turn into home/user/.bashrc
. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc
. node-tar
would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc
) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry
method which sanitizes the entry.path
or a filter
method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1
Step up your Open Source Security Game with WhiteSource here
☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io
0.2.3
to 0.2.4
.This version is covered by your current version range and after updating it in your project the build failed.
node-server-screenshot is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
High | 9.8 | CVE-2020-7598 | #11 |
High | 7.5 | CVE-2020-8116 | #13 |
High | 7.5 | WS-2020-0044 | #12 |
Medium | 6.1 | CVE-2019-11358 | #5 |
Medium | 6.1 | CVE-2015-9251 | #4 |
The new version differs by 3 commits.
28d82bf
0.2.4
3a39fd6
update(deps): nightmare from ^3.0.1 to ^3.0.2
b09a7aa
fix: disable window frame for the requested sizes to be accurate
See the full diff
There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot 🌴
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Dependency Hierarchy:
Found in HEAD commit: b9b69a78b2d694ad0343817209db815e1daab964
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Modular Utilities
Library home page: https://registry.npmjs.org/mout/-/mout-0.11.1.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/mout/package.json
Dependency Hierarchy:
Found in HEAD commit: 11b81b67d7da872135498e6394bdec16aded69ce
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.
Publish Date: 2020-12-11
URL: CVE-2020-7792
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7792
Release Date: 2020-12-11
Fix Resolution: mout - 1.2.3
Step up your Open Source Security Game with WhiteSource here
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: d00031b7be0677f4dd50b71e93d21ed2931d4038
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Step up your Open Source Security Game with WhiteSource here
Extracting archives made easy
Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz
Path to dependency file: /smart_contracts/package.json
Path to vulnerable library: /smart_contracts/node_modules/decompress/package.json
Dependency Hierarchy:
Found in HEAD commit: 533a14599877b2acca7588425157ce76656deb1f
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Publish Date: 2020-04-26
URL: CVE-2020-12265
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265
Release Date: 2020-04-26
Fix Resolution: 4.2.1
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Dependency Hierarchy:
Found in HEAD commit: b9b69a78b2d694ad0343817209db815e1daab964
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@753d591
Release Date: 2019-03-25
Fix Resolution: Replace or update the following files: core.js, core.js
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.3.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/ethers/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/indutny/elliptic/tree/v6.5.3
Release Date: 2020-06-04
Fix Resolution: v6.5.3
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Path to vulnerable library: /erc721-smart-contract/smart_contracts/node_modules/nightmare/test/fixtures/rendering/index.html
Dependency Hierarchy:
Found in HEAD commit: 1f363407df6443c97775b800e7a12eba65b56f99
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.3.3.tgz
Path to dependency file: /tmp/ws-scm/erc721-smart-contract/smart_contracts/package.json
Path to vulnerable library: /tmp/ws-scm/erc721-smart-contract/smart_contracts/node_modules/ethers/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 0936b120479c96383e43aa70451bc94ccb0d9381
all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/indutny/elliptic/pull/203/commits
Release Date: 2020-04-30
Fix Resolution: v6.5.2
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.