9renpoto / backend Goto Github PK

Vulnerabilities

DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

---

Occurrences

lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/create:3.18.0
              └─ whatwg-url:7.1.0
                    └─ lodash.sortby:4.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.set:4.3.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

---

Occurrences

lodash.set:4.3.2 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/version:3.18.3
              └─ @lerna/github-client:3.16.5
                    └─ @octokit/rest:16.34.1
                          └─ lodash.set:4.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

---

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/publish:3.18.3
              └─ @lerna/npm-publish:3.16.2
                    └─ @evocateur/libnpmpublish:1.2.2
                          └─ lodash.clonedeep:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

---

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• @9renpoto/eslint-config-typescript:5.3.0
        └─ @9renpoto/eslint-config:5.3.0
              └─ eslint-plugin-import:2.18.2
                    └─ eslint-import-resolver-node:0.3.2
                          └─ debug:2.6.9
                    └─ eslint-module-utils:2.4.1
                          └─ debug:2.6.9
                    └─ debug:2.6.9

• lerna:3.18.3
        └─ @lerna/create:3.18.0
              └─ globby:9.2.0
                    └─ fast-glob:2.2.7
                          └─ micromatch:3.1.10
                                └─ extglob:2.0.4
                                      └─ expand-brackets:2.1.4
                                            └─ debug:2.6.9
                                └─ snapdragon:0.8.2
                                      └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

---

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/version:3.18.3
              └─ @lerna/conventional-commits:3.16.4
                    └─ conventional-changelog-angular:5.0.5
                          └─ q:1.5.1
                    └─ conventional-changelog-core:3.2.3
                          └─ q:1.5.1
                    └─ conventional-recommended-bump:5.0.1
                          └─ q:1.5.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

This issue provides visibility into Renovate updates and their statuses. Learn more

Rate Limited

These updates are currently rate limited. Click on a checkbox below to force their creation now.

• chore(deps): update actions/checkout action to v2.4.0
• chore(deps): update dependency textlint to v12.1.1
• chore(deps): update actions/checkout action to v3
• chore(deps): update actions/setup-node action to v3
• chore(deps): update dependency @types/jest to v27
• chore(deps): update dependency faker to v6 (faker, @types/faker)
• chore(deps): update dependency lint-staged to v12
• chore(deps): update npm to v8
• fix(deps): update dependency @nestjs/config to v2
• fix(deps): update dependency @nestjs/graphql to v10
• fix(deps): update dependency nestjs-stripe to v1
• fix(deps): update dependency typeorm-naming-strategies to v4

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency @types/faker to v5.5.9
• chore(deps): update dependency husky to v7.0.4
• chore(deps): update dependency prettier-plugin-organize-imports to v2.3.4
• chore(deps): update actions/setup-node action to v2.5.1
• chore(deps): update dependency hasura/graphql-engine to v2.3.1
• chore(deps): update dependency lint-staged to v11.2.6
• chore(deps): update dependency prettier to v2.6.1
• chore(deps): update dependency supertest to v6.2.2
• chore(deps): update dependency ts-jest to v27.1.4
• chore(deps): update dependency ts-node to v10.7.0
• chore(deps): update dependency tsc-watch to v4.6.2
• chore(deps): update nest monorepo (@nestjs/cli, @nestjs/testing)
• fix(deps): update dependency @apollo/gateway to ^0.50.0
• chore(deps): update dependency postgres to v14
• fix(deps): update dependency @nestjs/terminus to v8
• fix(deps): update dependency nest-raven to v8
• fix(deps): update dependency nestjs-graphql-relay to v8
• fix(deps): update dependency typeorm-test-transactions to v3
• Click on this checkbox to rebase all open PRs at once

---

• Check this box to trigger a request for Renovate to run again on this repository

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

---

Occurrences

express:4.17.1 is a transitive dependency introduced by the following direct dependency(s):

• nest-cli:0.0.5
        └─ express:4.17.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

---

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• prettier-eslint-cli:5.0.0
        └─ lodash.memoize:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

---

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:26.1.0
        └─ @jest/core:26.1.0
              └─ jest-haste-map:26.1.0
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ snapdragon:0.8.2
                                      └─ base:0.11.2
                                            └─ cache-base:1.0.1
                                                  └─ has-value:1.0.0
                                                        └─ has-values:1.0.0
                                                              └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

---

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:26.1.0
        └─ @jest/core:26.1.0
              └─ jest-haste-map:26.1.0
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ snapdragon:0.8.2
                                      └─ define-property:0.2.5
                                            └─ is-descriptor:0.1.6
                                                  └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

---

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/version:3.18.3
              └─ @lerna/github-client:3.16.5
                    └─ @octokit/rest:16.34.1
                          └─ lodash.uniq:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

---

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/version:3.18.3
              └─ @lerna/conventional-commits:3.16.4
                    └─ lodash.template:4.5.0
                          └─ lodash._reinterpolate:3.0.0
                          └─ lodash.templatesettings:4.2.0
                                └─ lodash._reinterpolate:3.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

---

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.18.3
        └─ @lerna/version:3.18.3
              └─ @lerna/github-client:3.16.5
                    └─ @octokit/rest:16.34.1
                          └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash:3.10.1 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2019-10744] Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The...
• (CVSS 9.8) [CVE-2018-16487] A prototype pollution vulnerability was found in lodash <4.17.11 where the funct...
• (CVSS 9.6) CWE-506: Embedded Malicious Code
• (CVSS 8.8) [NPMJS]Prototype Pollution
• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2019-1010266] lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumpti...
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

---

Occurrences

lodash:3.10.1 is a transitive dependency introduced by the following direct dependency(s):

• nest-cli:0.0.5
        └─ lodash:3.10.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

---

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• jest:26.1.0
        └─ @jest/core:26.1.0
              └─ jest-haste-map:26.1.0
                    └─ sane:4.1.0
                          └─ micromatch:3.1.10
                                └─ braces:2.3.2
                                      └─ fill-range:4.0.0
                                            └─ is-number:3.0.0
                                                  └─ kind-of:3.2.2
                                      └─ snapdragon-node:2.1.1
                                            └─ snapdragon-util:3.0.1
                                                  └─ kind-of:3.2.2
                                └─ snapdragon:0.8.2
                                      └─ base:0.11.2
                                            └─ cache-base:1.0.1
                                                  └─ to-object-path:0.3.0
                                                        └─ kind-of:3.2.2
                                            └─ class-utils:0.3.6
                                                  └─ static-extend:0.1.2
                                                        └─ object-copy:0.1.0
                                                              └─ kind-of:3.2.2
                                      └─ define-property:0.2.5
                                            └─ is-descriptor:0.1.6
                                                  └─ is-accessor-descriptor:0.1.6
                                                        └─ kind-of:3.2.2
                                                  └─ is-data-descriptor:0.1.4
                                                        └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}