Displays cryptocurrency price variations on Das Keyboards Q Series.
License: MIT License
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "dependabot-preview[bot]")
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![greenkeeper[bot] avatar](https://avatars.githubusercontent.com/in/505?v=4 "greenkeeper[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "mergify[bot]")
Vulnerable Library - lodash-4.17.20.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f8fc496407b1b7cec555f40af180b50263db9b27
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - qs-6.5.2.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 47450db37034e33dacd9a5dfb600b083610e2343
Found in base branch: master
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - nanoid-3.1.25.tgzA tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23566
Release Date: 2022-01-14
Fix Resolution: nanoid - 3.1.31
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - color-string-1.5.3.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: ebfd7c7e905398aa87726c1d28fdbfb0f2a876ad
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5
Release Date: 2021-03-12
Fix Resolution: color-string - 1.5.5
Step up your Open Source Security Game with WhiteSource here
7.0.0 to 7.0.1.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
mocha is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
The Security Check found 1 vulnerabilities.| Severity | CVSS Score |
CVE | GitHub Issue |
|---|---|---|---|
| Medium |
5.5 | CVE-2019-16777 | #25 |
reporterOptions (@holm)The new version differs by 9 commits.
d0f04e9 Release v7.0.12277958 update CHANGELOG for v7.0.1 [ci skip]0be3f78 Fix exception when skipping tests programmatically (#4165)c0f1d14 uncaughtException: fix recovery when current test is still running (#4150)9c10ada Fix backwards compability break for reporterOptionsa24683f Throw a descriptive error when a non-function is given to a runnable (#4133)579fd09 update copyright & trademark notices per OJSF; closes #41450e1ccbb Fix leaking global 'uncaughtException' handler (#4147)7d78f20 Broken links in docs (#4140)See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Vulnerable Library - glob-parent-5.1.2.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: ecd63581aa0267bc999671b78aac5b28d7979655
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: gulpjs/glob-parent#49
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - async-3.2.0.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: 315686da61b11beb436d1b13619b006814d6d3b1
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: async - 2.6.4,3.2.2
Step up your Open Source Security Game with Mend here
βοΈ Important announcement: Greenkeeper will be saying goodbye π and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io
7.1.1 to 7.1.2.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
mocha is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Way to go! The Security Check did not find any vulnerabilities.
The build failed.The new version differs by 7 commits.
27aeb80 Release v7.1.2e3df026 update CHANGELOG for v7.1.2 [ci skip]7f75489 add test case: type check before calling retriedTest()e659027 type check before calling retriedTest()eba6ec7 Remove Runnable#inspect() and utils.ngettext() (#4230)a4a4d50 add wallaby logo to bottom of sitec600547 update mkdirp to v0.5.5 (#4222)See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Vulnerable Library - tough-cookie-2.5.0.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: e17e4f8ebd17323e2e292f2b0010c2858e0e9480
Found in base branch: master
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - yarn-1.21.1.tgz???????? Fast, reliable, and secure dependency management.
Library home page: https://registry.npmjs.org/yarn/-/yarn-1.21.1.tgz
Path to dependency file: /tmp/ws-scm/daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: /daskeyboard-applet--crypto-watch/node_modules/yarn/package.json
Dependency Hierarchy:
Found in HEAD commit: 9e8f0a0fb8ff78ec4ab6735dde02bdd7d60b0b7e
Vulnerability Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16777
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.20.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f8fc496407b1b7cec555f40af180b50263db9b27
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - qs-6.5.2.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 73d1565c81ac887c43fd156f3860444009b4b29c
Found in base branch: master
Vulnerability Details
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Publish Date: 2022-03-17
URL: CVE-2021-44907
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907
Release Date: 2022-03-17
Fix Resolution: qs - 6.8.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - netmask-1.0.6.tgzParse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/netmask/package.json
Dependency Hierarchy:
Found in HEAD commit: 40c3e5990e6df27ccc3063506b618953224de1bd
Found in base branch: master
Vulnerability Details
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Publish Date: 2021-03-30
URL: CVE-2021-29418
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://vuln.ryotak.me/advisories/6.txt
Release Date: 2021-03-30
Fix Resolution: 2.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - netmask-1.0.6.tgzParse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/netmask/package.json
Dependency Hierarchy:
Found in HEAD commit: 40c3e5990e6df27ccc3063506b618953224de1bd
Found in base branch: master
Vulnerability Details
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Publish Date: 2021-04-01
URL: CVE-2021-28918
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-pch5-whg9-qr2r
Release Date: 2021-03-19
Fix Resolution: netmask - 2.0.1
Step up your Open Source Security Game with WhiteSource here
From first review:
Vulnerable Library - minimist-1.2.5.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/node_modules/minimist/package.json,/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 73d1565c81ac887c43fd156f3860444009b4b29c
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906
Release Date: 2022-03-17
Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - y18n-4.0.0.tgzthe bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: a95d507e585679cb36096233ce82c27cb410ee2c
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - serialize-javascript-3.0.0.tgzSerialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-3.0.0.tgz
Path to dependency file: /tmp/ws-scm/daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: /tmp/ws-scm/daskeyboard-applet--crypto-watch/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: ef37aa8a7faf38c0ac96efcd4c56d89e50bd34e0
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - color-string-1.5.3.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/color-string/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution: color-string - 1.5.5
Step up your Open Source Security Game with WhiteSource here
From first review:
Replace the others questions types (for the keys decimals, refresh, and threshold) with a drop-down. This way it improves the user-experience and reduces the possible syntax errors. (examples: decimals key and threshold key can allow the value between 1 and 5, and refresh key can allow the value 1,5,10,20,30,40,50,60)
You can find how to build drop-down lists here
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: ebfd7c7e905398aa87726c1d28fdbfb0f2a876ad
Found in base branch: master
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jszip-3.4.0.tgzCreate, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/snyk-nuget-plugin/node_modules/jszip/package.json
Dependency Hierarchy:
Found in HEAD commit: ce0cefd07492dd0de75ac8644cda83862ce2894e
Found in base branch: master
Vulnerability Details
This affects the package jszip before 3.7.0.
Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Publish Date: 2021-07-25
URL: CVE-2021-23413
CVSS 3 Score Details (6.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: 2021-07-25
Fix Resolution: jszip - 3.7.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
Found in HEAD commit: 04d63891205c2d4f42f7bfdcc0e8b21f4a1c97e7
Found in base branch: master
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - snyk-1.1062.0.tgzLibrary home page: https://registry.npmjs.org/snyk/-/snyk-1.1062.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/snyk/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as βtrustedβ in order to be vulnerable. NOTE: This issue is independent of the one reported in CVE-2022-40764, and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions
Publish Date: 2022-11-30
URL: CVE-2022-24441
CVSS 3 Score Details (5.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24441
Release Date: 2022-11-30
Fix Resolution: 1.1064.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - snyk-1.1062.0.tgzLibrary home page: https://registry.npmjs.org/snyk/-/snyk-1.1062.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/snyk/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for CVE-2022-40764. A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.
Publish Date: 2022-11-30
URL: CVE-2022-22984
CVSS 3 Score Details (5.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-22984
Release Date: 2022-11-30
Fix Resolution: 1.1064.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ansi-regex-5.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: daskeyboard-applet--crypto-watch/node_modules/nyc/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 6b30f425a2d31f6f9440db59b06e4bf42a943050
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - request-2.88.2.tgzSimplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: /tmp/ws-scm/daskeyboard-applet--crypto-watch/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /tmp/ws-scm/daskeyboard-applet--crypto-watch/package.json
Path to vulnerable library: /tmp/ws-scm/daskeyboard-applet--crypto-watch/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: bb167c5636743dc058a5be05739f13618cb5d8a1
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.