You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/request/node_modules/cryptiles/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/node_modules/hawk/node_modules/cryptiles/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
request-2.83.0.tgz
hawk-6.0.2.tgz
❌ cryptiles-3.1.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/bin-links/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
❌ bin-links-1.1.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In bin-links, versions prior to v1.1.5 are vulnerable to a Symlink reference outside of 'node_modules' directory. An attacker can access unauthorized files.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
❌ npm-5.8.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
❌ npm-5.8.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
❌ npm-5.8.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/bin-links/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
❌ bin-links-1.1.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In bin-links, versions prior to v1.1.6 are vulnerable to a Global 'node_modules' Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent/package.json
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
❌ npm-5.8.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/node_modules/qs/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
npm-lifecycle-2.0.1.tgz
node-gyp-3.6.2.tgz
request-2.85.0.tgz
❌ qs-6.5.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Path to dependency file: /npm_and_yarn/helpers/package.json
Path to vulnerable library: /npm_and_yarn/helpers/node_modules/ssri/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/ssri/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
❌ ssri-5.3.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/update-notifier/node_modules/configstore/node_modules/dot-prop/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
update-notifier-2.3.0.tgz
configstore-3.1.2.tgz
❌ dot-prop-4.2.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/y18n/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/libnpx/node_modules/yargs/node_modules/y18n/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
libnpx-10.0.1.tgz
yargs-11.0.0.tgz
❌ y18n-3.2.1.tgz (Vulnerable Library)
y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/libnpx/node_modules/y18n/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/cacache/node_modules/y18n/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/y18n/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
libnpx-10.0.1.tgz
❌ y18n-4.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/package.json
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/request/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
npm-lifecycle-2.0.1.tgz
node-gyp-3.6.2.tgz
❌ request-2.85.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/ajv/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/ajv/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
request-2.83.0.tgz
har-validator-5.0.3.tgz
❌ ajv-5.5.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
❌ hosted-git-info-2.6.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/libnpx/node_modules/yargs/node_modules/yargs-parser/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
libnpx-10.0.1.tgz
yargs-11.0.0.tgz
❌ yargs-parser-9.0.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/bin-links/package.json
Dependency Hierarchy:
npm-5.8.0.tgz (Root Library)
❌ bin-links-1.1.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Arbitrary File Write vulnerability found in bin-links before 1.1.5. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
❌ npm-5.8.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
dev-mend-for-github-combot
changed the title
npm-5.8.0.tgz: 18 vulnerabilities (highest severity is: 9.8)
npm-5.8.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
Dec 7, 2023
dev-mend-for-github-combot
changed the title
npm-5.8.0.tgz: 19 vulnerabilities (highest severity is: 9.8)
npm-5.8.0.tgz: 20 vulnerabilities (highest severity is: 9.8)
May 31, 2024
Vulnerable Library - npm-5.8.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.8.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-1000620
Vulnerable Library - cryptiles-3.1.2.tgz
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/request/node_modules/cryptiles/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/node_modules/hawk/node_modules/cryptiles/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0338
Vulnerable Library - bin-links-1.1.2.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/bin-links/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In bin-links, versions prior to v1.1.5 are vulnerable to a Symlink reference outside of 'node_modules' directory. An attacker can access unauthorized files.
Publish Date: 2019-12-10
URL: WS-2019-0338
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-12-10
Fix Resolution (bin-links): 1.1.5
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2019-16777
Vulnerable Library - npm-5.8.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.8.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16777
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: 6.13.4
In order to enable automatic remediation, please create workflow rules
CVE-2019-16776
Vulnerable Library - npm-5.8.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.8.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16776
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: 6.13.3
In order to enable automatic remediation, please create workflow rules
CVE-2019-16775
Vulnerable Library - npm-5.8.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.8.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16775
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: 6.13.3
In order to enable automatic remediation, please create workflow rules
WS-2020-0180
Vulnerable Library - npm-user-validate-1.0.0.tgz
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/npm-user-validate/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Publish Date: 2020-10-16
URL: WS-2020-0180
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xgh6-85xh-479p
Release Date: 2020-10-16
Fix Resolution (npm-user-validate): 1.0.1
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0339
Vulnerable Library - bin-links-1.1.2.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/bin-links/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In bin-links, versions prior to v1.1.6 are vulnerable to a Global 'node_modules' Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs.
Publish Date: 2019-12-11
URL: WS-2019-0339
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-12-11
Fix Resolution (bin-links): 1.1.6
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0310
Vulnerable Library - https-proxy-agent-2.2.1.tgz
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-10-07
URL: WS-2019-0310
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-10-07
Fix Resolution (https-proxy-agent): 2.2.3
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-29244
Vulnerable Library - npm-5.8.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.8.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie.
--workspaces
,--workspace=<name>
). Anyone who has runnpm pack
ornpm publish
inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.Publish Date: 2022-06-13
URL: CVE-2022-29244
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hj9c-8jmm-8c52
Release Date: 2022-06-13
Fix Resolution: 6.14.18
In order to enable automatic remediation, please create workflow rules
CVE-2022-24999
Vulnerable Library - qs-6.5.1.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/node_modules/qs/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-27290
Vulnerable Library - ssri-5.3.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Path to dependency file: /npm_and_yarn/helpers/package.json
Path to vulnerable library: /npm_and_yarn/helpers/node_modules/ssri/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/ssri/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (npm): 6.6.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7754
Vulnerable Library - npm-user-validate-1.0.0.tgz
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/npm-user-validate/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
Publish Date: 2020-10-27
URL: CVE-2020-7754
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754
Release Date: 2020-10-27
Fix Resolution (npm-user-validate): 1.0.1
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-8116
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/update-notifier/node_modules/configstore/node_modules/dot-prop/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7774
Vulnerable Libraries - y18n-3.2.1.tgz, y18n-4.0.0.tgz
y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/y18n/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/libnpx/node_modules/yargs/node_modules/y18n/package.json
Dependency Hierarchy:
y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/libnpx/node_modules/y18n/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/cacache/node_modules/y18n/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/y18n/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (npm): 5.10.0
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2023-28155
Vulnerable Libraries - request-2.83.0.tgz, request-2.85.0.tgz
request-2.83.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.83.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/request/package.json
Dependency Hierarchy:
request-2.85.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.85.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/request/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/request/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
CVE-2020-15366
Vulnerable Library - ajv-5.5.2.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/ajv/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/ajv/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23362
Vulnerable Library - hosted-git-info-2.6.0.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.6.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-7608
Vulnerable Library - yargs-parser-9.0.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/libnpx/node_modules/yargs/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0337
Vulnerable Library - bin-links-1.1.2.tgz
JavaScript package binary linker
Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/bin-links/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Arbitrary File Write vulnerability found in bin-links before 1.1.5. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system.
Publish Date: 2019-12-11
URL: WS-2019-0337
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Release Date: 2019-12-11
Fix Resolution (bin-links): 1.1.5
Direct dependency fix Resolution (npm): 5.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-15095
Vulnerable Library - npm-5.8.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.8.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Publish Date: 2020-07-07
URL: CVE-2020-15095
CVSS 3 Score Details (4.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-93f3-23rq-pjfp
Release Date: 2020-07-07
Fix Resolution: 6.14.6
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: