Coder Social home page Coder Social logo

vidavidorra-repo-template.'s Introduction

Repository template

A template for creating new repositories.

Renovate enabled semantic-release License

Table of contents

Install

This describes how to use this template, for which there are two options.

  1. Create a new repository on GitHub and select vidavidorra/repo-template as Repository template.
  2. Create a new empty repository on and merge this template. 
    $ git commit --allow-empty -m 'chore: create HEAD'
$ git remote add -t main upstream [email protected]:vidavidorra/repo-template.git
$ export REPO_TEMPLATE_TAG="$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags upstream 'v*.*.*' | tail --lines=1 | cut --delimiter='/' --fields=3)"
$ export REPO_TEMPLATE_COMMIT="$(git -c 'versionsort.suffix=-' ls-remote --exit-code --refs --sort='version:refname' --tags upstream 'v*.*.*' | tail --lines=1 | cut --characters=1-7)"
$ git fetch --no-tags upstream tag "${REPO_TEMPLATE_TAG}"
$ git merge --allow-unrelated-histories --squash "${REPO_TEMPLATE_TAG}"
$ git commit --message "chore: initialise from vidavidorra/repo-template@${REPO_TEMPLATE_COMMIT} (${REPO_TEMPLATE_TAG})"
$ git tag --delete "${REPO_TEMPLATE_TAG}"
$ git remote remove upstream
$ git push

Usage

Work through the checklist to setup the repository with this template.

Documentation

Please refer to the docs, for the documentation.

Contributing

Please create an issue if you have a bug report, feature proposal or question that does not yet exist.

Please give this project a star ⭐ if you like it and consider becoming a sponsor to support this project.

Please refer to the contributing guide detailed information about other contributions, like pull requests.

Conventional Commits: 1.0.0 Code style Linting Lint commit messages Build

Security policy

Please refer to the Security Policy on GitHub for the security policy.

License

This project is licensed under the GPLv3 license.

Copyright © 2019-2020 Jeroen de Bruijn

License details.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

The full text of the license is available in the LICENSE file in this repository and online.

vidavidorra-repo-template.'s People

Contributors

renovate-bot avatar mcaj-git avatar renovate[bot] avatar mend-bolt-for-github[bot] avatar

Watchers

avatar

Forkers

lgtm-migrator

vidavidorra-repo-template.'s Issues

CVE-2023-26115 (High) detected in word-wrap-1.2.3.tgz

CVE-2023-26115 - High Severity Vulnerability

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/word-wrap/package.json

Dependency Hierarchy:

  • eslint-7.32.0.tgz (Root Library)
    • optionator-0.9.1.tgz
      • word-wrap-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution (word-wrap): 1.2.4

Direct dependency fix Resolution (eslint): 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25881 (High) detected in http-cache-semantics-4.1.0.tgz

CVE-2022-25881 - High Severity Vulnerability

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • make-fetch-happen-9.1.0.tgz
          • http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution (http-cache-semantics): 4.1.1

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-21680 (High) detected in marked-2.1.3.tgz

CVE-2022-21680 - High Severity Vulnerability

Vulnerable Library - marked-2.1.3.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • marked-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-42282 (Critical) detected in ip-1.1.5.tgz

CVE-2023-42282 - Critical Severity Vulnerability

Vulnerable Library - ip-1.1.5.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/ip/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • make-fetch-happen-9.1.0.tgz
          • socks-proxy-agent-6.1.0.tgz
            • socks-2.6.1.tgz
              • ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-29415 (Critical) detected in ip-1.1.5.tgz

CVE-2024-29415 - Critical Severity Vulnerability

Vulnerable Library - ip-1.1.5.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/ip/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • make-fetch-happen-9.1.0.tgz
          • socks-proxy-agent-6.1.0.tgz
            • socks-2.6.1.tgz
              • ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • cli-columns-3.1.2.tgz
          • string-width-2.1.1.tgz
            • strip-ansi-4.0.0.tgz
              • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • cli-table3-0.6.0.tgz
          • string-width-4.2.2.tgz
            • strip-ansi-6.0.0.tgz
              • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (semantic-release): 19.0.0

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-43616 (Critical) detected in npm-7.24.2.tgz

CVE-2021-43616 - Critical Severity Vulnerability

Vulnerable Library - npm-7.24.2.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

Publish Date: 2021-11-13

URL: CVE-2021-43616

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616

Release Date: 2021-11-13

Fix Resolution (npm): 8.1.4

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-26136 (Critical) detected in tough-cookie-2.5.0.tgz

CVE-2023-26136 - Critical Severity Vulnerability

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/request/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • node-gyp-7.1.2.tgz
          • request-2.88.2.tgz
            • tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-44906 (Critical) detected in minimist-1.2.5.tgz

CVE-2021-44906 - Critical Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • rc-1.2.8.tgz
        • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-29244 (High) detected in npm-7.24.2.tgz

CVE-2022-29244 - High Severity Vulnerability

Vulnerable Library - npm-7.24.2.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Publish Date: 2022-06-13

URL: CVE-2022-29244

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-06-13

Fix Resolution (npm): 8.11.0

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-24999 (High) detected in qs-6.5.2.tgz

CVE-2022-24999 - High Severity Vulnerability

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/qs/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • node-gyp-7.1.2.tgz
          • request-2.88.2.tgz
            • qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-44907 (High) detected in qs-6.5.2.tgz - autoclosed

CVE-2021-44907 - High Severity Vulnerability

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/qs/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • node-gyp-7.1.2.tgz
          • request-2.88.2.tgz
            • qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution (qs): 6.8.1

Direct dependency fix Resolution (semantic-release): 19.0.0-beta.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-25883 (High) detected in multiple libraries

CVE-2022-25883 - High Severity Vulnerability

Vulnerable Libraries - semver-7.3.5.tgz, semver-5.7.1.tgz, semver-6.3.0.tgz

semver-7.3.5.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json,/node_modules/npm/node_modules/semver/package.json

Dependency Hierarchy:

  • eslint-7.32.0.tgz (Root Library)
    • semver-7.3.5.tgz (Vulnerable Library)
semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/read-pkg/node_modules/semver/package.json,/node_modules/npm-run-all/node_modules/semver/package.json,/node_modules/@semantic-release/npm/node_modules/normalize-package-data/node_modules/semver/package.json,/node_modules/read-pkg-up/node_modules/semver/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • read-pkg-up-7.0.1.tgz
      • read-pkg-5.2.0.tgz
        • normalize-package-data-2.5.0.tgz
          • semver-5.7.1.tgz (Vulnerable Library)
semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/conventional-changelog-writer/node_modules/semver/package.json,/node_modules/semver-diff/node_modules/semver/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • semver-diff-3.1.1.tgz
      • semver-6.3.0.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2024-08-01

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (eslint): 8.7.0

Step up your Open Source Security Game with Mend here

CVE-2024-4068 (High) detected in braces-3.0.2.tgz

CVE-2024-4068 - High Severity Vulnerability

Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

  • git-10.0.1.tgz (Root Library)
    • micromatch-4.0.4.tgz
      • braces-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • eslint-7.32.0.tgz (Root Library)
    • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (eslint): 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-21681 (High) detected in marked-2.1.3.tgz

CVE-2022-21681 - High Severity Vulnerability

Vulnerable Library - marked-2.1.3.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • marked-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-28863 (Medium) detected in tar-6.1.11.tgz

CVE-2024-28863 - Medium Severity Vulnerability

Vulnerable Library - tar-6.1.11.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/tar/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • tar-6.1.11.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Warning

These dependencies are deprecated:

Datasource Name Replacement PR?
npm npm-run-all Available

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • fix(deps): update linters (eslint-config-prettier, eslint-plugin-prettier)
  • fix(deps): update actions/checkout action to v4
  • fix(deps): update actions/setup-node action to v4
  • fix(deps): update dependency @vidavidorra/commitlint-config to v7
  • fix(deps): update dependency conventional-changelog-conventionalcommits to v8
  • fix(deps): update dependency husky to v9
  • fix(deps): update dependency lint-staged to v15
  • fix(deps): update dependency prettier to v3
  • fix(deps): update wagoid/commitlint-github-action action to v6
  • 🔐 Create all rate-limited PRs at once 🔐

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/build.yml
  • actions/checkout v2.4.0@ec3a7ce113134d7a93b817d10a8272cb61118579
  • actions/setup-node v2.5.1@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561
  • actions/checkout v2.4.0@ec3a7ce113134d7a93b817d10a8272cb61118579
  • actions/setup-node v2.5.1@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561
.github/workflows/lint-commit-messages.yml
  • actions/checkout v2.4.0@ec3a7ce113134d7a93b817d10a8272cb61118579
  • actions/setup-node v2.5.1@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561
  • wagoid/commitlint-github-action v4.1.15@416045160973f9fff174ac6698412cfe7181c3f3
npm
package.json
  • @commitlint/cli 13.2.1
  • @semantic-release/changelog 6.0.1
  • @semantic-release/exec 6.0.3
  • @semantic-release/git 10.0.1
  • @vidavidorra/commitlint-config 3.2.5
  • conventional-changelog-conventionalcommits 4.6.3
  • eslint 7.32.0
  • eslint-config-prettier 8.5.0
  • eslint-plugin-json 3.1.0
  • eslint-plugin-prettier 4.0.0
  • husky 7.0.4
  • lint-staged 11.2.6
  • npm-run-all 4.1.5
  • prettier 2.6.2
  • semantic-release 18.0.1
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2021-43307 (High) detected in semver-regex-3.1.3.tgz

CVE-2021-43307 - High Severity Vulnerability

Vulnerable Library - semver-regex-3.1.3.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • find-versions-4.0.0.tgz
      • semver-regex-3.1.3.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution (semver-regex): 3.1.4

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-2251 (High) detected in yaml-1.10.2.tgz - autoclosed

CVE-2023-2251 - High Severity Vulnerability

Vulnerable Library - yaml-1.10.2.tgz

JavaScript parser and stringifier for YAML

Library home page: https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yaml/package.json

Dependency Hierarchy:

  • lint-staged-11.2.6.tgz (Root Library)
    • cosmiconfig-7.0.1.tgz
      • yaml-1.10.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.

Publish Date: 2023-04-24

URL: CVE-2023-2251

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9xv-q969-pqx4

Release Date: 2023-04-24

Fix Resolution (yaml): 2.0.0-0

Direct dependency fix Resolution (lint-staged): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3918 (Critical) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - Critical Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/json-schema/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • node-gyp-7.1.2.tgz
          • request-2.88.2.tgz
            • http-signature-1.2.0.tgz
              • jsprim-1.4.1.tgz
                • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-31051 (High) detected in semantic-release-18.0.1.tgz

CVE-2022-31051 - High Severity Vulnerability

Vulnerable Library - semantic-release-18.0.1.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-18.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.

Publish Date: 2022-06-09

URL: CVE-2022-31051

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x2pg-mjhr-2m5x

Release Date: 2022-06-09

Fix Resolution: 19.0.3

Step up your Open Source Security Game with Mend here

CVE-2023-28155 (Medium) detected in request-2.88.2.tgz

CVE-2023-28155 - Medium Severity Vulnerability

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/request/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • node-gyp-7.1.2.tgz
          • request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-4067 (Medium) detected in micromatch-4.0.4.tgz

CVE-2024-4067 - Medium Severity Vulnerability

Vulnerable Library - micromatch-4.0.4.tgz

Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/package.json

Dependency Hierarchy:

  • git-10.0.1.tgz (Root Library)
    • micromatch-4.0.4.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: micromatch - 4.0.6

Step up your Open Source Security Game with Mend here

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/minimatch/package.json

Dependency Hierarchy:

  • semantic-release-18.0.1.tgz (Root Library)
    • npm-8.0.3.tgz
      • npm-7.24.2.tgz
        • glob-7.2.0.tgz
          • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: da9164953160f02cde489a24633e8bb244a39be4

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.