dgee2 / dgee2.github.io Goto Github PK
View Code? Open in Web Editor NEWLicense: BSD Zero Clause License
License: BSD Zero Clause License
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy:
Found in base branch: master
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution (moment): 2.29.2
Direct dependency fix Resolution (gatsby): 4.10.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
A very fast streaming multipart parser for node.js
Library home page: https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dicer/package.json
Dependency Hierarchy:
Found in base branch: master
This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.
Publish Date: 2022-05-20
URL: CVE-2022-24434
Base Score Metrics:
Step up your Open Source Security Game with Mend here
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jpeg-js/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.
Publish Date: 2022-06-10
URL: CVE-2022-25851
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-06-10
Fix Resolution (jpeg-js): 0.4.4
Direct dependency fix Resolution (gatsby-plugin-sharp): 3.2.1
Step up your Open Source Security Game with Mend here
Bug: 139309277
Library home page: https://android.googlesource.com/platform/external/libaom
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
In extend_frame_highbd of restoration.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-166268541
Publish Date: 2020-12-14
URL: CVE-2020-0470
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-0722
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/gh-pages/node_modules/async/package.json,/node_modules/portfinder/node_modules/async/package.json
Dependency Hierarchy:
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/gatsby-plugin-sharp/node_modules/async/package.json
Dependency Hierarchy:
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Fix Resolution (async): 3.2.2
Direct dependency fix Resolution (gatsby-plugin-sharp): 3.2.1
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-4.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
Found in base branch: master
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io
package starting from version 4.0.0
, including those who uses depending packages like socket.io
. Versions prior to 4.0.0
are not impacted. A fix has been released for each major branch, namely 4.1.2
for the 4.x.x
branch, 5.2.1
for the 5.x.x
branch, and 6.1.1
for the 6.x.x
branch. There is no known workaround except upgrading to a safe version.
Publish Date: 2022-01-12
URL: CVE-2022-21676
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-273r-mgr4-v34f
Release Date: 2022-01-12
Fix Resolution (engine.io): 4.1.2
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/moment/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution: moment - 2.29.4
Step up your Open Source Security Game with Mend here
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
Found in base branch: master
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Generate trusted local SSL/TLS certificates for local SSL development
Library home page: https://registry.npmjs.org/devcert/-/devcert-1.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/devcert/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method
Publish Date: 2022-06-02
URL: CVE-2022-1929
Base Score Metrics:
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/devcert-redos-xray-211352/
Release Date: 2022-06-02
Fix Resolution (devcert): 1.2.1
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
High performance Node.js image processing, the fastest module to resize JPEG, PNG, WebP, AVIF and TIFF images
Library home page: https://registry.npmjs.org/sharp/-/sharp-0.27.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sharp/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at npm install
time when installing versions of sharp
prior to the latest v0.30.5. If an attacker has the ability to set the value of the PKG_CONFIG_PATH
environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install
time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.
Publish Date: 2022-05-25
URL: CVE-2022-29256
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29256
Release Date: 2022-05-25
Fix Resolution (sharp): 0.30.5
Direct dependency fix Resolution (gatsby-plugin-manifest): 4.8.0
Step up your Open Source Security Game with Mend here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-package-data/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in base branch: master
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (gatsby): 4.14.0
Step up your Open Source Security Game with Mend here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: master
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid/package.json
Dependency Hierarchy:
Found in base branch: master
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Parse paths (local paths, urls: ssh/git/etc)
Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-path/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
Publish Date: 2022-06-28
URL: CVE-2022-0624
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624
Release Date: 2022-06-28
Fix Resolution (parse-path): 6.0.0
Direct dependency fix Resolution (gatsby): 4.0.0
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.21.2
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
Found in base branch: master
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (gatsby-plugin-sharp): 3.12.0-coreutils.29
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (gatsby): 3.13.0
Step up your Open Source Security Game with Mend here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.slim.min.js
Path to dependency file: /node_modules/eol/index.html
Path to vulnerable library: /node_modules/eol/index.html
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: axios - v0.26.0
Step up your Open Source Security Game with WhiteSource here
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/package-json/node_modules/got/package.json,/node_modules/gatsby-source-filesystem/node_modules/got/package.json
Dependency Hierarchy:
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-7.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/download/node_modules/got/package.json
Dependency Hierarchy:
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
Human-friendly and powerful HTTP request library for Node.js
Library home page: https://registry.npmjs.org/got/-/got-10.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/gatsby-plugin-sharp/node_modules/got/package.json
Dependency Hierarchy:
Found in base branch: master
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 12.2.0
Direct dependency fix Resolution (gatsby): 4.17.2
Fix Resolution (got): 12.2.0
Direct dependency fix Resolution (gatsby-plugin-sharp): 4.18.1
Fix Resolution (got): 12.2.0
Direct dependency fix Resolution (gatsby): 4.17.2
Fix Resolution (got): 12.2.0
Direct dependency fix Resolution (gatsby-plugin-sharp): 4.18.1
Step up your Open Source Security Game with Mend here
Middleware and an Upload scalar to add support for GraphQL multipart requests (file uploads via queries and mutations) to various Node.js GraphQL servers.
Library home page: https://registry.npmjs.org/graphql-upload/-/graphql-upload-11.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/graphql-upload/package.json
Dependency Hierarchy:
Found in base branch: master
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename.
Publish Date: 2022-05-16
URL: CVE-2022-29353
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-29353
Release Date: 2022-05-16
Fix Resolution: no_fix
Step up your Open Source Security Game with WhiteSource here
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in base branch: master
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2216
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in base branch: master
Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2218
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5/
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in base branch: master
Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.
Publish Date: 2022-09-15
URL: CVE-2022-3224
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3224
Release Date: 2022-09-15
Fix Resolution: parse-url - 8.1.0
Step up your Open Source Security Game with Mend here
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in base branch: master
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.
Publish Date: 2022-09-14
URL: CVE-2022-2900
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-09-14
Fix Resolution (parse-url): 8.0.0
Direct dependency fix Resolution (gatsby): 4.0.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (gatsby): 3.13.0
Step up your Open Source Security Game with Mend here
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
Found in base branch: master
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution: terser - 4.8.1,5.14.2
Step up your Open Source Security Game with Mend here
An advanced url parser supporting git urls too.
Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.
Publish Date: 2022-06-27
URL: CVE-2022-2217
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b/
Release Date: 2022-06-27
Fix Resolution (parse-url): 6.0.3
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/humanize-url/node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/parse-url/node_modules/normalize-url/package.json,/node_modules/postcss-normalize-url/node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/gatsby-plugin-sharp/node_modules/normalize-url/package.json,/node_modules/package-json/node_modules/normalize-url/package.json,/node_modules/gatsby-source-filesystem/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in base branch: master
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (gh-pages): 3.2.1
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (gatsby): 3.14.0
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (gatsby): 3.14.0
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (gatsby): 3.14.0
Step up your Open Source Security Game with Mend here
Detect the file type of a Buffer/Uint8Array/ArrayBuffer
Library home page: https://registry.npmjs.org/file-type/-/file-type-16.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/file-type/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.
Publish Date: 2022-07-21
URL: CVE-2022-36313
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-07-21
Fix Resolution (file-type): 16.5.4
Direct dependency fix Resolution (gatsby-source-filesystem): 3.3.0
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Trim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim/package.json
Dependency Hierarchy:
Found in HEAD commit: d34d2613e60e2c1800648027985cd960c769bd0d
Found in base branch: master
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-10-27
Fix Resolution (trim): 0.0.3
Direct dependency fix Resolution (gatsby): 4.0.0
Step up your Open Source Security Game with Mend here
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prebuild-install/node_modules/simple-get/package.json
Dependency Hierarchy:
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-get/package.json
Dependency Hierarchy:
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.
Publish Date: 2022-01-26
URL: CVE-2022-0355
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355
Release Date: 2022-01-26
Fix Resolution (simple-get): 3.1.1
Direct dependency fix Resolution (gatsby-plugin-manifest): 3.3.0
Fix Resolution (simple-get): 4.0.1
Direct dependency fix Resolution (gatsby-plugin-manifest): 3.3.0
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource/package.json
Dependency Hierarchy:
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in base branch: master
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (gatsby): 4.17.2
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (gatsby): 3.13.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (gatsby): 3.13.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (gatsby): 3.13.0
Step up your Open Source Security Game with Mend here
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
Found in base branch: master
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
Base Score Metrics:
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (gatsby-plugin-sharp): 3.12.0-coreutils.29
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (gatsby): 3.3.0-telemetry-test.33
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-dev-server/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (gatsby): 3.13.0
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.