Vulnerabilities

DepShield reports that this application's usage of lodash._createassigner:3.1.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._createassigner:3.1.1 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._createassigner:3.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • chokidar-2.0.4.tgz
    • fsevents-1.2.4.tgz
      • node-pre-gyp-0.10.0.tgz
        • ❌ tar-4.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 28069adf6b4f4209a6f9d3714967f956fd4a2d71

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash._getnative:3.9.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._getnative:3.9.1 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash.keys:3.1.2
                          └─ lodash._getnative:3.9.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._bindcallback:3.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._bindcallback:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._createassigner:3.1.1
                          └─ lodash._bindcallback:3.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency(s):

• browser-sync:2.26.3
        └─ chokidar:2.0.4
              └─ lodash.debounce:4.0.8

• gulp:4.0.0
        └─ glob-watcher:5.0.1
              └─ chokidar:2.0.4
                    └─ lodash.debounce:4.0.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.assign:3.2.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.assign:3.2.0 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

test

Vulnerabilities

DepShield reports that this application's usage of lodash.restparam:3.6.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.restparam:3.6.1 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._createassigner:3.1.1
                          └─ lodash.restparam:3.6.1
              └─ lodash.restparam:3.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._isiterateecall:3.0.9 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._isiterateecall:3.0.9 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._createassigner:3.1.1
                          └─ lodash._isiterateecall:3.0.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2019-0034 - Medium Severity Vulnerability

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

path: /tmp/git/henriquecarv.github.io/node_modules/js-yaml/package.json

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Dependency Hierarchy:

• eslint-5.15.3.tgz (Root Library)
  • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in HEAD commit: 690da61cc90ff5da74d65bb954eae70d27956a23

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-31

URL: WS-2019-0034

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788

Release Date: 2019-03-31

Fix Resolution: 3.13.0

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash.isfinite:3.3.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.isfinite:3.3.2 is a transitive dependency introduced by the following direct dependency(s):

• browser-sync:2.26.3
        └─ portscanner:2.1.1
              └─ is-number-like:1.0.8
                    └─ lodash.isfinite:3.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isarguments:3.1.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isarguments:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash.keys:3.1.2
                          └─ lodash.isarguments:3.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.defaults:3.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.defaults:3.1.2 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isarray:3.0.4 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isarray:3.0.4 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash.keys:3.1.2
                          └─ lodash.isarray:3.0.4

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2017-1000048 - High Severity Vulnerability

Vulnerable Library - qs-6.2.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

path: /tmp/git/henriquecarv.github.io/node_modules/qs/package.json

Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • ❌ qs-6.2.3.tgz (Vulnerable Library)

Vulnerability Details

the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.

Publish Date: 2017-07-17

URL: CVE-2017-1000048

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: ljharb/qs@c709f6e

Release Date: 2017-03-06

Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js

Step up your Open Source Security Game with WhiteSource here

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/henriquecarv.github.io/node_modules/micromatch/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• browser-sync-2.26.3.tgz (Root Library)
  • micromatch-2.3.11.tgz
    • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash._basecopy:3.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._basecopy:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._baseassign:3.2.0
                          └─ lodash._basecopy:3.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.keys:3.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.keys:3.1.2 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._baseassign:3.2.0
                          └─ lodash.keys:3.1.2
                    └─ lodash.keys:3.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

path: /tmp/git/henriquecarv.github.io/node_modules/js-yaml/package.json

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Dependency Hierarchy:

• eslint-5.15.3.tgz (Root Library)
  • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in HEAD commit: c0460138d0ab81166660e4d56e4c32aafceb85f8

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-26

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-26

Fix Resolution: 3.13.0

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash._baseassign:3.2.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._baseassign:3.2.0 is a transitive dependency introduced by the following direct dependency(s):

• gulp-concat-css:3.1.0
        └─ lodash.defaults:3.1.2
              └─ lodash.assign:3.2.0
                    └─ lodash._baseassign:3.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}