You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2020-0218
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
jest-haste-map-22.0.3.tgz
sane-2.2.0.tgz
exec-sh-0.2.1.tgz
❌ merge-1.2.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
jest-haste-map-22.0.3.tgz
sane-2.2.0.tgz
exec-sh-0.2.1.tgz
❌ merge-1.2.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
jest-snapshot-22.0.3.tgz
jest-diff-22.0.3.tgz
❌ diff-3.4.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/node-notifier/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
❌ node-notifier-5.1.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json
all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
yargs-10.0.3.tgz
❌ yargs-parser-8.0.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
micromatch-2.3.11.tgz
braces-1.8.5.tgz
expand-range-1.8.2.tgz
fill-range-2.2.3.tgz
❌ randomatic-1.1.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
istanbul-api-1.2.1.tgz
istanbul-reports-1.1.3.tgz
❌ handlebars-4.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json
Dependency Hierarchy:
jest-cli-22.0.4.tgz (Root Library)
jest-environment-jsdom-22.0.4.tgz
jsdom-11.5.1.tgz
❌ nwmatcher-1.4.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.
Vulnerable Library - jest-cli-22.0.4.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-19919
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.
Publish Date: 2019-12-20
URL: CVE-2019-19919
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0333
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.
Publish Date: 2019-11-18
URL: WS-2019-0333
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-11-18
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2019-20920
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2020-0218
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2020-10-09
URL: WS-2020-0218
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-10-09
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (jest-cli): 24.0.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0493
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-14
URL: WS-2019-0493
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-11-14
Fix Resolution (handlebars): 4.5.2
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0492
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-19
URL: WS-2019-0492
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-11-19
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0318
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.
Publish Date: 2019-10-20
URL: WS-2019-0318
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2019-10-20
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2019-20922
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2018-16469
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.
Publish Date: 2018-10-30
URL: CVE-2018-16469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469
Release Date: 2018-10-30
Fix Resolution (merge): 1.2.1
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0064
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Publish Date: 2019-01-30
URL: WS-2019-0064
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/755/versions
Release Date: 2019-01-30
Fix Resolution (handlebars): 4.0.14
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2020-28499
Vulnerable Library - merge-1.2.0.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.
Publish Date: 2021-02-18
URL: CVE-2020-28499
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1666
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.1
Direct dependency fix Resolution (jest-cli): 24.0.0
In order to enable automatic remediation, please create workflow rules
WS-2018-0590
Vulnerable Library - diff-3.4.0.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-3.4.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 2 Score Details (7.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0103
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Publish Date: 2019-01-30
URL: WS-2019-0103
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-30
Fix Resolution (handlebars): 4.0.13
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2021-23383
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2021-23369
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
CVE-2020-7789
Vulnerable Library - node-notifier-5.1.2.tgz
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.1.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/node-notifier/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789
Release Date: 2020-12-11
Fix Resolution (node-notifier): 5.4.4
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2017-3757
Vulnerable Library - content-type-parser-1.0.2.tgz
Parse the value of the Content-Type header
Library home page: https://registry.npmjs.org/content-type-parser/-/content-type-parser-1.0.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.
Publish Date: 2017-12-10
URL: WS-2017-3757
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2017-12-10
Fix Resolution: v2.0.0
CVE-2020-7608
Vulnerable Library - yargs-parser-8.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-8.0.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (jest-cli): 24.9.0
In order to enable automatic remediation, please create workflow rules
CVE-2017-16028
Vulnerable Library - randomatic-1.1.7.tgz
Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.
Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).
Publish Date: 2018-04-26
URL: CVE-2017-16028
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/157/versions
Release Date: 2018-04-26
Fix Resolution (randomatic): 3.0.0
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0332
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-11-17
URL: WS-2019-0332
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-11-17
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2019-0331
Vulnerable Library - handlebars-4.0.11.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-13
URL: WS-2019-0331
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-11-13
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
WS-2018-0589
Vulnerable Library - nwmatcher-1.4.3.tgz
A CSS3-compliant JavaScript selector engine.
Library home page: https://registry.npmjs.org/nwmatcher/-/nwmatcher-1.4.3.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.
Publish Date: 2018-03-05
URL: WS-2018-0589
CVSS 2 Score Details (4.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (nwmatcher): 1.4.4
Direct dependency fix Resolution (jest-cli): 22.0.5
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: