A basic vsts extension startup project
unclebats / vsts-extension-basic Goto Github PK
View Code? Open in Web Editor NEWA basic vsts extension startup project
License: MIT License
A basic vsts extension startup project
License: MIT License
Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.2.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/bl/package.json
Dependency Hierarchy:
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244
Release Date: 2020-07-21
Fix Resolution: 2.2.1,3.0.1,4.0.3
Step up your Open Source Security Game with WhiteSource here
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/underscore/package.json
Dependency Hierarchy:
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2019-07-17
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-23
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with WhiteSource here
Synchronous exec with status code support. Requires no external dependencies, no need for node-gyp compilations etc.
Library home page: https://registry.npmjs.org/sync-exec/-/sync-exec-0.6.2.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/sync-exec/package.json
Dependency Hierarchy:
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.
Publish Date: 2018-06-04
URL: CVE-2017-16024
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/310
Release Date: 2017-04-14
Fix Resolution: There is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively.
The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of sync-exec
to child_process.execSync()
.
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-08
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: /tmp/git/vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: /tmp/git/vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2018-11-25
URL: WS-2018-0210
Type: Change files
Origin: lodash/lodash@90e6199
Release Date: 2018-08-31
Fix Resolution: Replace or update the following files: lodash.js, test.js
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/minimist/package.json
Dependency Hierarchy:
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
An XML builder for node.js
Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-9.0.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/xmlbuilder/package.json
Dependency Hierarchy:
The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.
Publish Date: 2018-02-08
URL: WS-2018-0625
Base Score Metrics:
Type: Upgrade version
Origin: oozcitak/xmlbuilder-js@bbf929a
Release Date: 2020-03-23
Fix Resolution: 9.0.5
Step up your Open Source Security Game with WhiteSource here
There is an error with this repository's WhiteSource configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.
Errors:
A drop-in replacement for `util` with some additional advantageous functions
Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/utile/package.json
Dependency Hierarchy:
utile
allocates uninitialized Buffers when number is passed in input.
Before version 0.3.0
Publish Date: 2018-07-16
URL: WS-2018-0148
Step up your Open Source Security Game with WhiteSource here
There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.
Errors:
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/inquirer/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /vsts-extension-basic/package.json
Path to vulnerable library: vsts-extension-basic/node_modules/lodash/package.json
Dependency Hierarchy:
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.