The dependency react-router-dom was updated from 5.0.1 to 5.1.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

react-router-dom is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.11.1 to 1.11.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 2 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15

Your Greenkeeper Bot 🌴

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Libraries - js-yaml-3.12.0.tgz, js-yaml-3.12.2.tgz

js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

path: null

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Dependency Hierarchy:

• styled-10.0.5.tgz (Root Library)
  • babel-plugin-emotion-10.0.5.tgz
    • babel-plugin-macros-2.4.3.tgz
      • cosmiconfig-5.0.7.tgz
        • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

js-yaml-3.12.2.tgz

YAML 1.2 parser and serializer

path: /tmp/git/react/basic-react-example[map-with-key]/node_modules/js-yaml/package.json

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.2.tgz

Dependency Hierarchy:

• react-scripts-2.1.8.tgz (Root Library)
  • eslint-5.12.0.tgz
    • ❌ js-yaml-3.12.2.tgz (Vulnerable Library)

Found in HEAD commit: 439c681c5c20d7406c8b96f2e84405bd304e0581

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-26

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-26

Fix Resolution: 3.13.0

Step up your Open Source Security Game with WhiteSource here

The dependency react-router-dom was updated from 4.3.1 to 4.4.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

react-router-dom is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4

Your Greenkeeper Bot 🌴

There have been updates to the react monorepo:

• • The dependency react was updated from 16.8.4 to 16.8.5.

• The dependency react-dom was updated from 16.8.4 to 16.8.5.
• The devDependency react-test-renderer was updated from 16.8.4 to 16.8.5.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the react group definition.

react is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4

Your Greenkeeper Bot 🌴

The devDependency webpack-bundle-analyzer was updated from 3.1.0 to 3.2.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-bundle-analyzer is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15
Medium	5.0	[WS-2019-0047]( "Go to CVE Details")	#21

Your Greenkeeper Bot 🌴

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-4.4.1.tgz

tar for node

path: null

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Dependency Hierarchy:

• react-scripts-2.1.8.tgz (Root Library)
  • fsevents-1.2.4.tgz
    • node-pre-gyp-0.10.0.tgz
      • ❌ tar-4.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 7d6c3cc20f81de03f185661539b9d4e935cd5391

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

The devDependency regenerator-runtime was updated from 0.13.1 to 0.13.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

regenerator-runtime is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4

Your Greenkeeper Bot 🌴

The dependency nodemon was updated from 1.18.11 to 1.19.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

nodemon is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

The devDependency webpack-dev-server was updated from 3.3.1 to 3.4.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-dev-server is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency babel-plugin-transform-async-to-promises was updated from 0.8.6 to 0.8.7.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

babel-plugin-transform-async-to-promises is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4

Your Greenkeeper Bot 🌴

The devDependency uglifyjs-webpack-plugin was updated from 2.1.2 to 2.1.3.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

uglifyjs-webpack-plugin is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🚨 You need to enable Continuous Integration on Greenkeeper branches of this repository. 🚨

To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.

Since we didn’t receive a CI status on the greenkeeper/initial branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/.

Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please click the 'fix repo' button on account.greenkeeper.io.

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.13.0 to 1.13.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.11.1 to 1.11.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 2 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15

Your Greenkeeper Bot 🌴

The devDependency webpack was updated from 4.30.0 to 4.31.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

We have detected a problem with your Greenkeeper config file 🚨

Greenkeeper currently can’t work with your greenkeeper.json config file because it is invalid. We found the following issues:

1. The package path examples/basic-react-example[map-with-key]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).
2. The package path examples/basic-redux-example[redux-promise]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).
3. The package path examples/basic-redux-example[redux-thunk]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).
4. The package path examples/basic-webpack[default]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).

Please correct these and commit the fix to your default branch (usually master). Greenkeeper will pick up your changes and try again. If in doubt, please consult the config documentation.

Here’s an example of a valid greenkeeper.json:

{
  "groups": {
    "frontend": {
      "packages": [
        "webapp/package.json",
        "cms/package.json",
        "analytics/package.json"
      ]
    },
    "build": {
      "packages": [
        "package.json"
      ]
    }
  },
  "ignore": [
    "standard",
    "eslint"
  ]
}

This files tells Greenkeeper to handle all dependency updates in two groups. All files in the frontend group will receive updates together, in one issue or PR, and the root-level package.json in the build group will be treated separately. In addition, Greenkeeper will never send updates for the standard and eslint packages.

🤖 🌴

The dependency body-parser was updated from 1.18.3 to 1.19.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

body-parser is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

There have been updates to the emotion monorepo:

• • The dependency @emotion/core was updated from 10.0.9 to 10.0.10.

• The dependency @emotion/styled was updated from 10.0.10 to 10.0.11.
• The devDependency babel-plugin-emotion was updated from 10.0.8 to 10.0.9.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the emotion group definition.

emotion is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

The devDependency webpack-merge was updated from 4.2.1 to 4.2.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-merge is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

WS-2019-0034 - Medium Severity Vulnerability

Vulnerable Libraries - js-yaml-3.12.0.tgz, js-yaml-3.12.2.tgz

js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

path: null

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Dependency Hierarchy:

• styled-10.0.5.tgz (Root Library)
  • babel-plugin-emotion-10.0.5.tgz
    • babel-plugin-macros-2.4.3.tgz
      • cosmiconfig-5.0.7.tgz
        • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

js-yaml-3.12.2.tgz

YAML 1.2 parser and serializer

path: /tmp/git/react/basic-react-example[map-with-key]/node_modules/js-yaml/package.json

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.2.tgz

Dependency Hierarchy:

• react-scripts-2.1.8.tgz (Root Library)
  • eslint-5.12.0.tgz
    • ❌ js-yaml-3.12.2.tgz (Vulnerable Library)

Found in HEAD commit: 45e8e7d96aa6466ec2d01245e6fbe62d5bc895f7

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-31

URL: WS-2019-0034

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788

Release Date: 2019-03-31

Fix Resolution: 3.13.0

Step up your Open Source Security Game with WhiteSource here

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.12.0 to 1.12.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

There have been updates to the emotion monorepo:

• • The dependency @emotion/core was updated from 10.0.9 to 10.0.10.

• The dependency @emotion/styled was updated from 10.0.9 to 10.0.10.
• The devDependency babel-plugin-emotion was updated from 10.0.8 to 10.0.9.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the emotion group definition.

emotion is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.12.0 to 1.12.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency webpack-dev-middleware was updated from 3.6.2 to 3.7.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-dev-middleware is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.11.2 to 1.12.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15
Medium	5.0	[WS-2019-0047]( "Go to CVE Details")	#21

Your Greenkeeper Bot 🌴

There have been updates to the babel7 monorepo:

• • The devDependency @babel/core was updated from 7.5.0 to 7.5.4.

• The devDependency @babel/plugin-proposal-class-properties was updated from 7.4.4 to 7.5.0.
• The devDependency @babel/plugin-transform-runtime was updated from 7.4.4 to 7.5.0.
• The devDependency @babel/polyfill was updated from 7.4.3 to 7.4.4.
• The devDependency @babel/preset-env was updated from 7.5.3 to 7.5.4.
• The devDependency @babel/register was updated from 7.4.0 to 7.4.4.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the babel7 group definition.

babel7 is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency webpack-hot-middleware was updated from 2.24.3 to 2.24.4.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-hot-middleware is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.13.0 to 1.13.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency webpack-dev-middleware was updated from 3.6.1 to 3.6.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-dev-middleware is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 2 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15

Your Greenkeeper Bot 🌴

CVE-2018-3728 - Medium Severity Vulnerability

Vulnerable Library - hoek-4.2.1.tgz

General purpose node utilities

path: /tmp/git/react/basic-redux-example[redux-thunk]/node_modules/hoek/package.json

Library home page: https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz

Dependency Hierarchy:

• react-scripts-2.1.1.tgz (Root Library)
  • workbox-webpack-plugin-3.6.3.tgz
    • workbox-build-3.6.3.tgz
      • joi-11.4.0.tgz
        • ❌ hoek-4.2.1.tgz (Vulnerable Library)

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: hapijs/hoek@623667e

Release Date: 2018-02-15

Fix Resolution: Replace or update the following files: index.js, index.js

Step up your Open Source Security Game with WhiteSource here

The dependency lodash was updated from 4.17.11 to 4.17.12.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

lodash is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

The devDependency babel-plugin-transform-async-to-promises was updated from 0.8.9 to 0.8.10.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

babel-plugin-transform-async-to-promises is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The dependency dotenv was updated from 8.1.0 to 8.2.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

dotenv is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.12.0 to 1.12.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15
Medium	5.0	[WS-2019-0047]( "Go to CVE Details")	#21

Your Greenkeeper Bot 🌴

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/react/basic-redux-example[redux-thunk]/node_modules/braces/package.json,/tmp/git/react/react-redux-webpack-client/node_modules/jest/node_modules/braces/package.json,/tmp/git/react/basic-react-example[map-with-key]/node_modules/braces/package.json,/tmp/git/react/basic-redux-example[redux-promise]/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• jest-23.6.0.tgz (Root Library)
  • jest-cli-23.6.0.tgz
    • micromatch-2.3.11.tgz
      • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-02-21

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Step up your Open Source Security Game with WhiteSource here

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.12.1 to 1.13.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency babel-loader was updated from 8.0.5 to 8.0.6.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

babel-loader is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The dependency nodemon was updated from 1.18.10 to 1.18.11.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

nodemon is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0047]( "Go to CVE Details")	#21
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15

Your Greenkeeper Bot 🌴

We have detected a problem with your Greenkeeper config file 🚨

Greenkeeper currently can’t work with your greenkeeper.json config file because it is invalid. We found the following issues:

1. The package path basic-react-example[map-with-key]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).
2. The package path basic-redux-example[redux-promise]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).
3. The package path basic-redux-example[redux-thunk]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).
4. The package path basic-webpack[default]/package.json in the group default is invalid. It must be a relative path to a package.json file. The path may not start with a slash, and it must end in package.json. Allowed characters for a path are alphanumeric, underscores, dashes, periods and the @ symbol (a-zA-Z_-.@).

Please correct these and commit the fix to your default branch (usually master). Greenkeeper will pick up your changes and try again. If in doubt, please consult the config documentation.

Here’s an example of a valid greenkeeper.json:

{
  "groups": {
    "frontend": {
      "packages": [
        "webapp/package.json",
        "cms/package.json",
        "analytics/package.json"
      ]
    },
    "build": {
      "packages": [
        "package.json"
      ]
    }
  },
  "ignore": [
    "standard",
    "eslint"
  ]
}

This files tells Greenkeeper to handle all dependency updates in two groups. All files in the frontend group will receive updates together, in one issue or PR, and the root-level package.json in the build group will be treated separately. In addition, Greenkeeper will never send updates for the standard and eslint packages.

🤖 🌴

The devDependency webpack-cli was updated from 3.3.0 to 3.3.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-cli is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

There have been updates to the enzyme monorepo:

• • The devDependency enzyme was updated from 3.8.0 to 3.9.0.

• The devDependency enzyme-adapter-react-16 was updated from 1.13.1 to 1.13.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the enzyme group definition.

enzyme is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency webpack was updated from 4.29.6 to 4.30.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0047]( "Go to CVE Details")	#21
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15

Your Greenkeeper Bot 🌴

The dependency react-redux was updated from 7.0.2 to 7.0.3.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

react-redux is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

There have been updates to the babel7 monorepo:

• • The devDependency @babel/core was updated from 7.3.4 to 7.4.0.

• The devDependency @babel/plugin-proposal-class-properties was updated from 7.3.4 to 7.4.0.
• The devDependency @babel/plugin-transform-runtime was updated from 7.3.4 to 7.4.0.
• The devDependency @babel/polyfill was updated from 7.2.5 to 7.4.0.
• The devDependency @babel/preset-env was updated from 7.4.0 to 7.4.1.
• The devDependency @babel/register was updated from 7.0.0 to 7.4.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

This monorepo update includes releases of one or more dependencies which all belong to the babel7 group definition.

babel7 is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 1 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4

Your Greenkeeper Bot 🌴

The devDependency webpack-dev-server was updated from 3.2.1 to 3.3.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-dev-server is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	5.0	WS-2019-0019	#4
Medium	5.0	[WS-2019-0032]( "Go to CVE Details")	#15
Medium	5.0	[WS-2019-0047]( "Go to CVE Details")	#21

Your Greenkeeper Bot 🌴

The devDependency clean-webpack-plugin was updated from 2.0.1 to 2.0.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

clean-webpack-plugin is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency jest-watch-typeahead was updated from 0.3.0 to 0.3.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

jest-watch-typeahead is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The dependency express was updated from 4.16.4 to 4.17.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

express is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴