Sponsor devs on github but using crypto and streaming per second.
Home Page: https://sponsor-zhyd1997.vercel.app
Video Show (on mobile ๐ฑ):
pnpm install
cp .env.example .env
# add your Infura API key (Superfluid SDK needs it)
# add your Alchemy API key (get ERC-20 token balances)
pnpm run devadd FUNDING.yml in your github repo.
add https://sponsor-zhyd1997.vercel.app/<your ENS name or wallet address> at custom field.
Sponsor button at github repo page (if the user set FUNDING.yml file) to start.
Vulnerable Library - next-13.0.1.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (next version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-44270 |  Medium |
5.3 | postcss-8.4.14.tgz | Transitive | 13.5.4-canary.8 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-44270Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270
Release Date: 2023-09-29
Fix Resolution (postcss): 8.4.31
Direct dependency fix Resolution (next): 13.5.4-canary.8
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@types/react, @types/react-dom, react, react-dom)package.json
@emotion/react ^11.10.5@emotion/styled ^11.10.5@mui/icons-material ^5.10.9@mui/lab 5.0.0-alpha.106@mui/material ^5.10.12@rainbow-me/rainbowkit ^0.8.0@superfluid-finance/sdk-core ^0.5.7@types/node 18.11.9@types/react 18.0.25@types/react-dom 18.0.9@vercel/analytics ^0.1.3alchemy-sdk ^2.2.0ethers ^5.7.2graphql ^16.6.0next 13.0.1react 18.2.0react-dom 18.2.0react-toastify ^9.1.1sharp ^0.31.2typescript 4.8.4wagmi ^0.8.5
Vulnerable Library - graphql-16.6.0.tgzA Query Language and Runtime which can target any service.
Library home page: https://registry.npmjs.org/graphql/-/graphql-16.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (graphql version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-26144 | Medium |
5.3 | graphql-16.6.0.tgz | Direct | 16.8.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-26144A Query Language and Runtime which can target any service.
Library home page: https://registry.npmjs.org/graphql/-/graphql-16.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.
Note: It was not proven that this vulnerability can crash the process.
Publish Date: 2023-09-20
URL: CVE-2023-26144
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-09-20
Fix Resolution: 16.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - sharp-0.31.2.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (sharp version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-25883 |  High |
7.5 | semver-7.3.8.tgz | Transitive | 0.33.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-25883The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (sharp): 0.33.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - sdk-core-0.5.7.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (sdk-core version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-26136 |  Critical |
9.8 | tough-cookie-2.5.0.tgz | Transitive | N/A* | โ |
| CVE-2023-30542 | High |
8.8 | contracts-4.7.3.tgz | Transitive | N/A* | โ |
| CVE-2024-37890 | High |
7.5 | ws-3.3.3.tgz | Transitive | N/A* | โ |
| CVE-2024-21505 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | โ |
| CVE-2023-46234 | High |
7.5 | browserify-sign-4.2.1.tgz | Transitive | N/A* | โ |
| CVE-2023-43646 | High |
7.5 | get-func-name-2.0.0.tgz | Transitive | N/A* | โ |
| CVE-2022-25901 | High |
7.5 | cookiejar-2.1.3.tgz | Transitive | N/A* | โ |
| CVE-2022-25883 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | โ |
| CVE-2022-25881 | High |
7.5 | http-cache-semantics-4.1.0.tgz | Transitive | N/A* | โ |
| CVE-2024-28863 | Medium |
6.5 | tar-4.4.19.tgz | Transitive | N/A* | โ |
| CVE-2024-27094 | Medium |
6.5 | contracts-4.7.3.tgz | Transitive | N/A* | โ |
| CVE-2024-29041 | Medium |
6.1 | express-4.18.2.tgz | Transitive | N/A* | โ |
| CVE-2023-28155 | Medium |
6.1 | request-2.88.2.tgz | Transitive | N/A* | โ |
| CVE-2023-34459 | Medium |
5.9 | contracts-4.7.3.tgz | Transitive | N/A* | โ |
| CVE-2023-40014 | Medium |
5.3 | contracts-4.7.3.tgz | Transitive | N/A* | โ |
| CVE-2023-34234 | Medium |
5.3 | contracts-4.7.3.tgz | Transitive | N/A* | โ |
| CVE-2023-30541 | Medium |
5.3 | contracts-4.7.3.tgz | Transitive | N/A* | โ |
| CVE-2022-33987 | Medium |
5.3 | got-9.6.0.tgz | Transitive | N/A* | โ |
| CVE-2020-7608 | Medium |
5.3 | yargs-parser-2.4.1.tgz | Transitive | N/A* | โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-26136RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
Step up your Open Source Security Game with Mend here
CVE-2023-30542Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures and calldatas parameters.
Publish Date: 2023-04-16
URL: CVE-2023-30542
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-93hq-5wgc-jc82
Release Date: 2023-04-16
Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
CVE-2024-37890Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.
Publish Date: 2024-06-17
URL: CVE-2024-37890
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3h5v-q93c-6h6q
Release Date: 2024-06-17
Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1
Step up your Open Source Security Game with Mend here
CVE-2024-21505
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Collection of utility functions used in web3.js.
Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Publish Date: 2024-03-25
URL: CVE-2024-21505
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505
Release Date: 2024-03-25
Fix Resolution: web3-utils - 4.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-46234adds node crypto signing for browsers
Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
Publish Date: 2023-10-26
URL: CVE-2023-46234
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x9w5-v3q2-3rhw
Release Date: 2023-10-26
Fix Resolution: browserify-sign - 4.2.2
Step up your Open Source Security Game with Mend here
CVE-2023-43646Utility for getting a function's name for node and the browser
Library home page: https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit f934b228b which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-09-27
URL: CVE-2023-43646
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4q6p-r6v2-jvc5
Release Date: 2023-09-27
Fix Resolution: get-func-name - 2.0.1,3.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-25901simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution: cookiejar - 2.1.4
Step up your Open Source Security Game with Mend here
CVE-2022-25883
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
Step up your Open Source Security Game with Mend here
CVE-2022-25881Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1
Step up your Open Source Security Game with Mend here
CVE-2024-28863tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
CVE-2024-27094Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
Publish Date: 2024-02-29
URL: CVE-2024-27094
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-02-29
Fix Resolution: @openzeppelin/contracts - 4.9.6,5.0.2, @openzeppelin/contracts-upgradeable - 4.9.6,5.0.2
Step up your Open Source Security Game with Mend here
CVE-2024-29041Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: express - 4.19.0
Step up your Open Source Security Game with Mend here
CVE-2023-28155Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-34459Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.
A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.
A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.
The problem has been patched in version 4.9.2.
Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.
Publish Date: 2023-06-16
URL: CVE-2023-34459
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-34459
Release Date: 2023-06-16
Fix Resolution: @openzeppelin/contracts - 4.9.2, @openzeppelin/contracts-upgradeable - 4.9.2
Step up your Open Source Security Game with Mend here
CVE-2023-40014Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.
Publish Date: 2023-08-10
URL: CVE-2023-40014
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g4vp-m682-qqmp
Release Date: 2023-08-10
Fix Resolution: @openzeppelin/contracts - 4.9.3;@openzeppelin/contracts-upgradeable - 4.9.3
Step up your Open Source Security Game with Mend here
CVE-2023-34234Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.
Publish Date: 2023-06-07
URL: CVE-2023-34234
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5h3x-9wvq-w4m2
Release Date: 2023-06-07
Fix Resolution: @openzeppelin/contracts-upgradeable - 4.9.1;@openzeppelin/contracts - 4.9.1
Step up your Open Source Security Game with Mend here
CVE-2023-30541Secure Smart Contract library for Solidity
Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.
Publish Date: 2023-04-17
URL: CVE-2023-30541
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mx2q-35m2-x2rh
Release Date: 2023-04-17
Fix Resolution: @openzeppelin/contracts - 4.8.3, @openzeppelin/contracts-upgradeable - 4.8.3
Step up your Open Source Security Game with Mend here
CVE-2022-33987Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - alchemy-sdk-2.2.0.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (alchemy-sdk version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-28849 | Medium |
6.5 | follow-redirects-1.15.2.tgz | Transitive | N/A* | โ |
| CVE-2023-45857 | Medium |
6.5 | axios-0.26.1.tgz | Transitive | 3.1.2 | โ |
| CVE-2023-26159 | Medium |
6.1 | follow-redirects-1.15.2.tgz | Transitive | 2.2.1 | โ |
| CVE-2024-27088 |  Low |
0.0 | es5-ext-0.10.62.tgz | Transitive | 2.2.1 | โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2024-28849HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
Step up your Open Source Security Game with Mend here
CVE-2023-45857Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.26.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 0.28.0
Direct dependency fix Resolution (alchemy-sdk): 3.1.2
Step up your Open Source Security Game with Mend here
CVE-2023-26159HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution (follow-redirects): 1.15.4
Direct dependency fix Resolution (alchemy-sdk): 2.2.1
Step up your Open Source Security Game with Mend here
CVE-2024-27088ECMAScript extensions and shims
Library home page: https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.62.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into function#copy or function#toStringTokens may cause the script to stall. The vulnerability is patched in v0.10.63.
Publish Date: 2024-02-26
URL: CVE-2024-27088
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-27088
Release Date: 2024-02-26
Fix Resolution (es5-ext): 0.10.63
Direct dependency fix Resolution (alchemy-sdk): 2.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - styled-11.10.5.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (styled version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-45133 | High |
8.8 | traverse-7.20.1.tgz | Transitive | 11.10.6 | โ |
| CVE-2022-46175 | High |
8.8 | json5-2.2.1.tgz | Transitive | 11.10.6 | โ |
| CVE-2022-25883 | High |
7.5 | semver-6.3.0.tgz | Transitive | 11.10.6 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-45133The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.20.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
CVE-2022-46175JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
CVE-2022-25883The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 6.3.1
Direct dependency fix Resolution (@emotion/styled): 11.10.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - rainbowkit-0.8.0.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (rainbowkit version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-41713 | Medium |
5.3 | deep-object-diff-1.1.7.tgz | Transitive | 0.8.1 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-41713Deep diffs two objects, including nested structures of arrays and objects, and return the difference.
Library home page: https://registry.npmjs.org/deep-object-diff/-/deep-object-diff-1.1.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5a14195d842fa047b4e529a4ec122a84b85f321e
Found in base branch: main
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the 'proto' property to be edited.
Publish Date: 2022-11-03
URL: CVE-2022-41713
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-11-03
Fix Resolution (deep-object-diff): 1.1.9
Direct dependency fix Resolution (@rainbow-me/rainbowkit): 0.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - wagmi-0.8.5.tgzPath to dependency file: /package.json
Path to vulnerable library: /package.json
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (wagmi version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-42282 | Critical |
9.8 | ip-1.1.8.tgz | Transitive | 0.8.6 | โ |
| CVE-2024-29415 | Critical |
9.1 | ip-1.1.8.tgz | Transitive | N/A* | โ |
| CVE-2024-4068 | High |
7.5 | detected in multiple dependencies | Transitive | N/A* | โ |
| CVE-2022-38900 | High |
7.5 | decode-uri-component-0.2.0.tgz | Transitive | 0.8.6 | โ |
| CVE-2023-45857 | Medium |
6.5 | axios-0.21.4.tgz | Transitive | 0.12.0-cjs | โ |
| CVE-2023-25166 | Medium |
6.5 | formula-3.0.0.tgz | Transitive | 0.8.6 | โ |
| CVE-2024-4067 | Medium |
5.3 | detected in multiple dependencies | Transitive | 0.8.6 | โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-42282[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Publish Date: 2024-02-08
URL: CVE-2023-42282
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-78xj-cgh5-2h22
Release Date: 2024-02-08
Fix Resolution (ip): 1.1.9
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
CVE-2024-29415[](https://www.npmjs.com/package/ip)
Library home page: https://registry.npmjs.org/ip/-/ip-1.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Publish Date: 2024-05-27
URL: CVE-2024-29415
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2022-38900A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
CVE-2023-45857Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 0.28.0
Direct dependency fix Resolution (wagmi): 0.12.0-cjs
Step up your Open Source Security Game with Mend here
CVE-2023-25166Math and string formula parser.
Library home page: https://registry.npmjs.org/@sideway/formula/-/formula-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.
Publish Date: 2023-02-08
URL: CVE-2023-25166
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25166
Release Date: 2023-02-08
Fix Resolution (@sideway/formula): 3.0.1
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
CVE-2024-4067
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in base branch: main
The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution (micromatch): 4.0.6
Direct dependency fix Resolution (wagmi): 0.8.6
Fix Resolution (micromatch): 4.0.6
Direct dependency fix Resolution (wagmi): 0.8.6
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.