Coder Social home page Coder Social logo

jshint's Introduction

##JSHint plugin for Light Table

A simple JSHint integration that shows JSHint warnings directly in the editor.

Usage

To run JSHint on a file, run the command Run jshint on current editor. By default this will display inline warnings. This plugin has the following additional behaviors you can add to your user.behaviors:

  • :lt.plugins.jshint/gutter-hints - Enable jshint warnings to show up as gutter hints that display warning on hover
  • :lt.plugins/jshint/jshint-options - Configure JSHint with a map of JSHint options
  • :lt.plugins.jshint/jshint-globals - Define a list of globals to ignore
  • :lt.plugins.jshint/on-save - Run JSHint on file save
  • :lt.plugins.jshint/on-change - Run JSHint on change

Use one of these behaviors with the right tag e.g. [:editor.javascript :lt.plugins.jshint/on-change]

For Committers

This plugin depends on the JSHint package. To upgrade it npm install jshint@VERSION and ensure all behaviors work correctly.

jshint's People

Contributors

cldwalker avatar gozala avatar ibdknox avatar jamii avatar seancaffery avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gozala p07r0457 dardevelin snufkon cyouden seancaffery favac rlxrlxrlx rlugojr chrisemoulton

jshint's Issues

.jshintrc Support

JSHint supports using a file to hold your configuration. Whenever the jshint executable is invoked, you can either use the --config flag to point to the .jshintrc file or you can let jshint locate your .jshintrc file(s) based on the CWD where the executable was invoked. This is documented in the Configuration section of the JSHint Documentation. The idea would either be to fix where jshint is executed from so that jshint can work as it would from the CLI or we can update the :lt.plugins.jshint/jshint-options to allow for a workspace path or fully qualified path. Thoughts?

Typically I'd submit a pull request but I've not filed the paperwork to contribute and I'm not up to speed on ClojureScript just yet. I'll see if I can expedite these things if necessary.

WS-2016-0036 Low Severity Vulnerability detected by WhiteSource

WS-2016-0036 - Low Severity Vulnerability

Vulnerable Library - cli-0.6.6.tgz

A tool for rapidly building command line apps

path: /JSHint/node_modules/jshint/node_modules/cli/package.json

Library home page: http://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Dependency Hierarchy:

  • cli-0.6.6.tgz (Vulnerable Library)

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-06-15

URL: WS-2016-0036

CVSS 2 Score Details (1.9)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

WS-2016-0039 High Severity Vulnerability detected by WhiteSource

WS-2016-0039 - High Severity Vulnerability

Vulnerable Library - shell-quote-0.0.1.tgz

quote and parse shell commands

path: /tmp/git/JSHint/node_modules/jshint/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz

Dependency Hierarchy:

  • browserify-9.0.8.tgz (Root Library)
    • shell-quote-0.0.1.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.

Publish Date: 2016-06-21

URL: WS-2016-0039

CVSS 2 Score Details (8.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/117

Release Date: 2016-06-21

Fix Resolution: Upgrade to at least version 1.6.1

Step up your Open Source Security Game with WhiteSource here

CVE-2018-16487 High Severity Vulnerability detected by WhiteSource

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-3.7.0.tgz, lodash-3.2.0.tgz, lodash-4.13.1.tgz

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

path: /JSHint/node_modules/jshint/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Dependency Hierarchy:

  • lodash-3.7.0.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/xmlbuilder/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Dependency Hierarchy:

  • jscs-1.11.3.tgz (Root Library)
    • xmlbuilder-2.5.2.tgz
      • lodash-3.2.0.tgz (Vulnerable Library)
lodash-4.13.1.tgz

Lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • istanbul-lib-instrument-1.1.0-alpha.4.tgz
          • babel-generator-6.11.4.tgz
            • lodash-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Step up your Open Source Security Game with WhiteSource here

WS-2017-0206 Medium Severity Vulnerability detected by WhiteSource

WS-2017-0206 - Medium Severity Vulnerability

Vulnerable Libraries - brace-expansion-1.1.6.tgz, brace-expansion-1.1.2.tgz

brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/brace-expansion/package.json

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • glob-7.0.5.tgz
          • minimatch-3.0.2.tgz
            • brace-expansion-1.1.6.tgz (Vulnerable Library)
brace-expansion-1.1.2.tgz

Brace expansion as known from sh/bash

path: /tmp/git/JSHint/node_modules/jshint/node_modules/minimatch/node_modules/brace-expansion/package.json

Library home page: http://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.2.tgz

Dependency Hierarchy:

  • minimatch-2.0.10.tgz (Root Library)
    • brace-expansion-1.1.2.tgz (Vulnerable Library)

Vulnerability Details

Brace-expansion is a module to support bash-like brace expansion in JavaScript.
For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks.

Publish Date: 2017-04-25

URL: WS-2017-0206

CVSS 2 Score Details (6.2)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: juliangruber/brace-expansion@b133812

Release Date: 2017-04-07

Fix Resolution: Replace or update the following file: index.js

Step up your Open Source Security Game with WhiteSource here

Keymap shotcut

When I tried to add keymap:

:editor.javascript {  
     "ctrl-h": [:jshint.run]
}

Then I got this error:

Map literal must contain an even number of forms

Is it possible to map JSHint as keyboard shortcut? Thanks

CVE-2018-1000620 High Severity Vulnerability detected by WhiteSource

CVE-2018-1000620 - High Severity Vulnerability

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

path: /tmp/git/JSHint/node_modules/jshint/node_modules/cryptiles/package.json

Library home page: http://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Dependency Hierarchy:

  • coveralls-2.11.16.tgz (Root Library)
    • request-2.79.0.tgz
      • hawk-3.1.3.tgz
        • cryptiles-2.0.5.tgz (Vulnerable Library)

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16137 Medium Severity Vulnerability detected by WhiteSource

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/debug/package.json

Library home page: http://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • istanbul-lib-instrument-1.1.0-alpha.4.tgz
          • babel-traverse-6.11.4.tgz
            • debug-2.2.0.tgz (Vulnerable Library)

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/534

Release Date: 2017-09-27

Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.

Step up your Open Source Security Game with WhiteSource here

WS-2017-0247 Low Severity Vulnerability detected by WhiteSource

WS-2017-0247 - Low Severity Vulnerability

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/ms/package.json

Library home page: http://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • istanbul-lib-instrument-1.1.0-alpha.4.tgz
          • babel-traverse-6.11.4.tgz
            • debug-2.2.0.tgz
              • ms-0.7.1.tgz (Vulnerable Library)

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16028 Medium Severity Vulnerability detected by WhiteSource

CVE-2017-16028 - Medium Severity Vulnerability

Vulnerable Library - randomatic-1.1.5.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/randomatic/package.json

Library home page: http://registry.npmjs.org/randomatic/-/randomatic-1.1.5.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • micromatch-2.3.11.tgz
          • braces-1.8.5.tgz
            • expand-range-1.8.2.tgz
              • fill-range-2.2.3.tgz
                • randomatic-1.1.5.tgz (Vulnerable Library)

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-06-04

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/157

Release Date: 2017-04-14

Fix Resolution: Update to version 3.0.0 or later.

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10540 High Severity Vulnerability detected by WhiteSource

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-1.0.0.tgz, minimatch-2.0.10.tgz, minimatch-0.3.0.tgz

minimatch-1.0.0.tgz

a glob matcher in javascript

path: /tmp/git/JSHint/node_modules/jshint/node_modules/jshint/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-1.0.0.tgz

Dependency Hierarchy:

  • jshint-2.6.3.tgz (Root Library)
    • minimatch-1.0.0.tgz (Vulnerable Library)
minimatch-2.0.10.tgz

a glob matcher in javascript

path: /JSHint/node_modules/jshint/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Dependency Hierarchy:

  • minimatch-2.0.10.tgz (Vulnerable Library)
minimatch-0.3.0.tgz

a glob matcher in javascript

path: /tmp/git/JSHint/node_modules/jshint/node_modules/cli/node_modules/glob/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Dependency Hierarchy:

  • cli-0.6.6.tgz (Root Library)
    • glob-3.2.11.tgz
      • minimatch-0.3.0.tgz (Vulnerable Library)

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Step up your Open Source Security Game with WhiteSource here

WS-2018-0148 Low Severity Vulnerability detected by WhiteSource

WS-2018-0148 - Low Severity Vulnerability

Vulnerable Library - utile-0.2.1.tgz

A drop-in replacement for `util` with some additional advantageous functions

path: /tmp/git/JSHint/node_modules/jshint/node_modules/utile/package.json

Library home page: http://registry.npmjs.org/utile/-/utile-0.2.1.tgz

Dependency Hierarchy:

  • jscs-1.11.3.tgz (Root Library)
    • prompt-0.2.14.tgz
      • utile-0.2.1.tgz (Vulnerable Library)

Vulnerability Details

utile allocates uninitialized Buffers when number is passed in input.
Before version 0.3.0

Publish Date: 2018-07-16

URL: WS-2018-0148

CVSS 2 Score Details (1.8)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

WS-2019-0019 Medium Severity Vulnerability detected by WhiteSource

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • micromatch-2.3.11.tgz
          • braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Step up your Open Source Security Game with WhiteSource here

WS-2018-0210 Low Severity Vulnerability detected by WhiteSource

WS-2018-0210 - Low Severity Vulnerability

Vulnerable Libraries - lodash-3.7.0.tgz, lodash-3.2.0.tgz, lodash-4.13.1.tgz

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

path: /JSHint/node_modules/jshint/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Dependency Hierarchy:

  • lodash-3.7.0.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/xmlbuilder/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Dependency Hierarchy:

  • jscs-1.11.3.tgz (Root Library)
    • xmlbuilder-2.5.2.tgz
      • lodash-3.2.0.tgz (Vulnerable Library)
lodash-4.13.1.tgz

Lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • istanbul-lib-instrument-1.1.0-alpha.4.tgz
          • babel-generator-6.11.4.tgz
            • lodash-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10538 Low Severity Vulnerability detected by WhiteSource

CVE-2016-10538 - Low Severity Vulnerability

Vulnerable Library - cli-0.6.6.tgz

A tool for rapidly building command line apps

path: /JSHint/node_modules/jshint/node_modules/cli/package.json

Library home page: http://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Dependency Hierarchy:

  • cli-0.6.6.tgz (Vulnerable Library)

Vulnerability Details

The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2018-05-31

URL: CVE-2016-10538

CVSS 3 Score Details (3.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/95

Release Date: 2016-06-15

Fix Resolution: Update to version 1.0.0 or later.

Step up your Open Source Security Game with WhiteSource here

CVE-2017-18077 High Severity Vulnerability detected by WhiteSource

CVE-2017-18077 - High Severity Vulnerability

Vulnerable Libraries - brace-expansion-1.1.6.tgz, brace-expansion-1.1.2.tgz

brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/brace-expansion/package.json

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • glob-7.0.5.tgz
          • minimatch-3.0.2.tgz
            • brace-expansion-1.1.6.tgz (Vulnerable Library)
brace-expansion-1.1.2.tgz

Brace expansion as known from sh/bash

path: /tmp/git/JSHint/node_modules/jshint/node_modules/minimatch/node_modules/brace-expansion/package.json

Library home page: http://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.2.tgz

Dependency Hierarchy:

  • minimatch-2.0.10.tgz (Root Library)
    • brace-expansion-1.1.2.tgz (Vulnerable Library)

Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Publish Date: 2018-01-27

URL: CVE-2017-18077

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/338

Release Date: 2017-04-25

Fix Resolution: Upgrade to version 1.1.7 or later.

Step up your Open Source Security Game with WhiteSource here

WS-2018-0075 Medium Severity Vulnerability detected by WhiteSource

WS-2018-0075 - Medium Severity Vulnerability

Vulnerable Library - concat-stream-1.4.11.tgz

writable stream that concatenates strings or binary data and calls a callback with the result

path: /tmp/git/JSHint/node_modules/jshint/node_modules/concat-stream/package.json

Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.4.11.tgz

Dependency Hierarchy:

  • browserify-9.0.8.tgz (Root Library)
    • concat-stream-1.4.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Publish Date: 2018-04-25

URL: WS-2018-0075

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

WS-2018-0076 Medium Severity Vulnerability detected by WhiteSource

WS-2018-0076 - Medium Severity Vulnerability

Vulnerable Library - tunnel-agent-0.4.3.tgz

HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/tunnel-agent/package.json

Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz

Dependency Hierarchy:

  • coveralls-2.11.16.tgz (Root Library)
    • request-2.79.0.tgz
      • tunnel-agent-0.4.3.tgz (Vulnerable Library)

Vulnerability Details

Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure.

This is exploitable if user supplied input is provided to the auth value and is a number.

Publish Date: 2018-04-25

URL: WS-2018-0076

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

doesn't differentiate between false and true

For the :lt.plugins.jshint/jshint-options object :-W008 false and :-W008 true are equivalent.
The disabled state is currently handled by removing the flag completely which is not very convenient.

version: 0.1.0
LT 0.8.1

Enable the gutter behaviour

I see there is inline and gutter variant for jshint, but i am unable to turn the gutter one on.
My config is:
[:editor.javascript :lt.plugins.jshint/on-change]
[:editor.javascript :lt.plugins.jshint/gutter-hints]
[:editor.javascript :-lt.plugins.jshint/inline-hints]

But that basically shows no feedback at all. The inline behaviour works if just left at default setting.

Is gutter supported still?

CVE-2018-3728 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-3728 - Medium Severity Vulnerability

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

path: /tmp/git/JSHint/node_modules/jshint/node_modules/hoek/package.json

Library home page: http://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Dependency Hierarchy:

  • coveralls-2.11.16.tgz (Root Library)
    • request-2.79.0.tgz
      • hawk-3.1.3.tgz
        • hoek-2.16.3.tgz (Vulnerable Library)

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: hapijs/hoek@623667e

Release Date: 2018-02-15

Fix Resolution: Replace or update the following files: index.js, index.js

Step up your Open Source Security Game with WhiteSource here

jshint-globals not seen by LightTable

For some reason I can't define jshint globals in user.behaviors. jshint-globals doesn't show up in autocomplete neither does it work at all if I type it my self like this:

:editor.javascript [:lt.plugins.jshint/on-save
                     :lt.plugins.jshint/inline-hints
                     (:lt.plugins.jshint/jshint-options {:undef true, :unused true, :jquery true, :devel true, :browser true})
                     (:lt.plugins.jshint/jshint-globals {:Modernizr, :module})]

Messages about Modernizr not defined (Modernizr being an object) and 'module' not defined (Gruntfile.js). Yet however externally running JSHint with these settings and globals defined works fine!

Also see my +1 on the .jshintrc issue, I much prefer to see that work. Might even solve this issue.

Getting a list of jshint warnings

The plugin is working, however it "only" marks the points in the editor where jshint found a problem, without even a hint of whether there were problems or not.
I did not find a command like "jump to next-previous warning" so in a large file I cannot even find the warnings...
Would it be possible to make the plugin open a panel with the list of problems that jshint has found?
Or at least have a message that gives the number of warnings and the ability to navigate through them.

Maybe the minimal way of doing it would be a pair of "go to next-previous jshint warning" commands, each of which would

  • go to the warning, and
  • print something like "Warning number XXX of YYY", or if there are no warnings, "No jshint warnings in this file".

And have the "run jshint" command automatically execute the "go to next jshint warning" command so that the user

  • knows if there are warnings, and
  • immediately sees the first one.

This would not require any separate panel.

And yes, I know I should try to do it myself, but here comes the second question: is it mandatory to write such an extension in Clojurescript (creating a panel and filling it with a list of "errors", or anyway references to locations in an editor window), or is there a pure Javascript API for it? (I did not find it...)

CVE-2018-3721 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-3.7.0.tgz, lodash-3.2.0.tgz, lodash-4.13.1.tgz

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

path: /JSHint/node_modules/jshint/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Dependency Hierarchy:

  • lodash-3.7.0.tgz (Vulnerable Library)
lodash-3.2.0.tgz

The modern build of lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/xmlbuilder/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Dependency Hierarchy:

  • jscs-1.11.3.tgz (Root Library)
    • xmlbuilder-2.5.2.tgz
      • lodash-3.2.0.tgz (Vulnerable Library)
lodash-4.13.1.tgz

Lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Dependency Hierarchy:

  • nodeunit-0.9.5.tgz (Root Library)
    • tap-7.1.2.tgz
      • nyc-7.1.0.tgz
        • istanbul-lib-instrument-1.1.0-alpha.4.tgz
          • babel-generator-6.11.4.tgz
            • lodash-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721

Fix Resolution: Upgrade to version lodash 4.17.5 or greater

Step up your Open Source Security Game with WhiteSource here

CVE-2016-10541 High Severity Vulnerability detected by WhiteSource

CVE-2016-10541 - High Severity Vulnerability

Vulnerable Library - shell-quote-0.0.1.tgz

quote and parse shell commands

path: /tmp/git/JSHint/node_modules/jshint/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz

Dependency Hierarchy:

  • browserify-9.0.8.tgz (Root Library)
    • shell-quote-0.0.1.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.

Publish Date: 2018-05-31

URL: CVE-2016-10541

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10541

Release Date: 2018-12-15

Fix Resolution: 1.6.1

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.