ilkeraltin / react-spa-news Goto Github PK

View Code? Open in Web Editor NEW

29.0 4.0 16.0 1.24 MB

React single page application demo project

JavaScript 97.27% HTML 2.73%

react nodejs express

react-spa-news's Introduction

SPA News - React

React demo project. This project uses News API under the hood.

Demo: Click to see DEMO

Getting Started

This project created for a Meetup talk about Server Side Rendering with React.

There is also a Server Side Rendered version of same project.

Installing

First clone project and install dependencies

$ mkdir react-news && cd react-news
$ git clone https://github.com/ilkeraltin/react-spa-news.git
$ npm install

Navigate to News API and grab your API key.

Find config.js in root folder and update API Key.

const config = {
  apikey: 'enter-your-api-key'
};

Run on local

$ npm run dev

Navigate to http://localhost:3001

Deployment

Deployment build

$ npm run build:prod

You can deploy this project to:

Heroku

Built With

react-spa-news's People

Contributors

Stargazers

Watchers

Forkers

msahin12 ajvipulgarg lalit022 arunthampi2006 chuksjoe tunb tridungle michael-motornyi ubongndoh grangier ed828a csanchez11 gebederry tbbt-love butkua123

react-spa-news's Issues

CVE-2019-10742 (High) detected in axios-0.18.0.tgz

CVE-2019-10742 - High Severity Vulnerability

Vulnerable Library - axios-0.18.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /react-spa-news/node_modules/axios/package.json

Dependency Hierarchy:

❌ axios-0.18.0.tgz (Vulnerable Library)

Found in HEAD commit: 7d90f899ce84aac41b22b173841f5a9d179292fa

Vulnerability Details

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Publish Date: 2019-05-07

URL: CVE-2019-10742

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /react-spa-news/node_modules/lodash/package.json

Dependency Hierarchy:

❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 9f3d5525bb2fd5cbed5b0a7514d3f6197b6738ff

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10746 (High) detected in mixin-deep-1.3.1.tgz

CVE-2019-10746 - High Severity Vulnerability

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/mixin-deep/package.json

Dependency Hierarchy:

lint-staged-8.1.4.tgz (Root Library)
- micromatch-3.1.10.tgz
  - snapdragon-0.8.2.tgz
    - base-0.11.2.tgz
      - ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 9f3d5525bb2fd5cbed5b0a7514d3f6197b6738ff

Vulnerability Details

mixin-deep before 1.3.2 is vulnerable to Prototype Pollution.

Publish Date: 2019-07-11

URL: CVE-2019-10746

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2

Step up your Open Source Security Game with WhiteSource here

CVE-2019-15657 (High) detected in eslint-utils-1.3.1.tgz

CVE-2019-15657 - High Severity Vulnerability

Vulnerable Library - eslint-utils-1.3.1.tgz

Utilities for ESLint plugins.

Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/eslint-utils/package.json

Dependency Hierarchy:

eslint-5.6.0.tgz (Root Library)
- ❌ eslint-utils-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 9979578e7be8a9f761753a58332c5d354e6c3992

Vulnerability Details

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

Publish Date: 2019-08-26

URL: CVE-2019-15657

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657

Release Date: 2019-08-26

Fix Resolution: 1.4.1

Step up your Open Source Security Game with WhiteSource here

WS-2019-0185 (High) detected in lodash.merge-4.6.1.tgz

WS-2019-0185 - High Severity Vulnerability

Vulnerable Library - lodash.merge-4.6.1.tgz

The Lodash method `_.merge` exported as a module.

Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/lodash.merge/package.json

Dependency Hierarchy:

react-hot-loader-4.7.1.tgz (Root Library)
- ❌ lodash.merge-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 9979578e7be8a9f761753a58332c5d354e6c3992

Vulnerability Details

lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0185

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1066

Release Date: 2019-08-14

Fix Resolution: 4.6.2

Step up your Open Source Security Game with WhiteSource here

WS-2019-0032 (Medium) detected in js-yaml-3.12.2.tgz

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Library - js-yaml-3.12.2.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.2.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/js-yaml/package.json

Dependency Hierarchy:

eslint-5.6.0.tgz (Root Library)
- ❌ js-yaml-3.12.2.tgz (Vulnerable Library)

Found in HEAD commit: 7d90f899ce84aac41b22b173841f5a9d179292fa

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-26

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-26

Fix Resolution: 3.13.0

Step up your Open Source Security Game with WhiteSource here

WS-2019-0063 (High) detected in js-yaml-3.12.2.tgz

WS-2019-0063 - High Severity Vulnerability

Vulnerable Library - js-yaml-3.12.2.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.2.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/js-yaml/package.json

Dependency Hierarchy:

eslint-5.6.0.tgz (Root Library)
- ❌ js-yaml-3.12.2.tgz (Vulnerable Library)

Found in HEAD commit: 7d90f899ce84aac41b22b173841f5a9d179292fa

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-30

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-30

Fix Resolution: 3.13.1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-10747 (High) detected in set-value-2.0.0.tgz, set-value-0.4.3.tgz

CVE-2019-10747 - High Severity Vulnerability

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/set-value/package.json

Dependency Hierarchy:

lint-staged-8.1.4.tgz (Root Library)
- micromatch-3.1.10.tgz
  - snapdragon-0.8.2.tgz
    - base-0.11.2.tgz
      - cache-base-1.0.1.tgz
        
        ❌ set-value-2.0.0.tgz (Vulnerable Library)

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /react-spa-news/package.json

Path to vulnerable library: /tmp/git/react-spa-news/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

lint-staged-8.1.4.tgz (Root Library)
- micromatch-3.1.10.tgz
  - snapdragon-0.8.2.tgz
    - base-0.11.2.tgz
      - cache-base-1.0.1.tgz
        
        union-value-1.0.0.tgz
        
        ❌ set-value-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: 9f3d5525bb2fd5cbed5b0a7514d3f6197b6738ff

Vulnerability Details

A vulnerability was found in set-value before 2.0.1 and from 3.0.0 before 3.0.1 previously reported as WS-2019-0176

Publish Date: 2019-07-24

URL: CVE-2019-10747

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Step up your Open Source Security Game with WhiteSource here

ilkeraltin / react-spa-news Goto Github PK

react-spa-news's Introduction

SPA News - React

Getting Started

Installing

Deployment

Built With

react-spa-news's People

Contributors

Stargazers

Watchers

Forkers

react-spa-news's Issues

CVE-2019-10742 - High Severity Vulnerability

CVE-2019-10744 - High Severity Vulnerability

CVE-2019-10746 - High Severity Vulnerability

CVE-2019-15657 - High Severity Vulnerability

WS-2019-0185 - High Severity Vulnerability

WS-2019-0032 - Medium Severity Vulnerability

WS-2019-0063 - High Severity Vulnerability

CVE-2019-10747 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org