Comments (1)
Found Vulnerabilities!
Summery
Severity | # of finds |
---|---|
Info | 0 |
Low | 0 |
Moderate | 0 |
High | 6 |
Critical | 0 |
Total | 6 |
Can Be Updated
gatsby-cli (2.12.87)
Paths
- gatsby>gatsby-cli>update-notifier>configstore>dot-prop [dev]
Advisories
Prototype Pollution (High)
Vulnerable Versions: <5.1.1
Patched Versions: >=5.1.1
More Info: https://npmjs.com/advisories/1213
Overview
Versions of dot-prop
before 5.1.1 are vulnerable to prototype pollution. The function set
does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
elliptic (6.5.3)
Paths
- gatsby>webpack>node-libs-browser>crypto-browserify>browserify-sign>elliptic [dev]
- gatsby>webpack>node-libs-browser>crypto-browserify>create-ecdh>elliptic [dev]
Advisories
Signature Malleability (High)
Vulnerable Versions: <6.5.3
Patched Versions: >=6.5.3
More Info: https://npmjs.com/advisories/1547
Overview
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
terser-webpack-plugin (1.4.5)
Paths
- gatsby>terser-webpack-plugin>serialize-javascript [dev]
- gatsby>webpack>terser-webpack-plugin>serialize-javascript [dev]
Advisories
Remote Code Execution (High)
Vulnerable Versions: <3.1.0
Patched Versions: >=3.1.0
More Info: https://npmjs.com/advisories/1548
Overview
serialize-javascript
prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"}
was serialized as {"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.
The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');
Manual Review
dot-prop
Paths
- gatsby>devcert>configstore>dot-prop [dev]
Advisories
Prototype Pollution (High)
Vulnerable Versions: <5.1.1
Patched Versions: >=5.1.1
More Info: https://npmjs.com/advisories/1213
Overview
Versions of dot-prop
before 5.1.1 are vulnerable to prototype pollution. The function set
does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
from gatsby-theme-admonation.
Related Issues (20)
- Add contributing.md file HOT 1
- Create release pipeline
- Add code of conduct file
- Add documentation
- Create Demo website
- Fix publish pipeline
- Make sure we're getting 100 score in Lighthouse
- Cache dependencies in the CI
- Update 3rd party packages to fix vulnerabilities HOT 2
- Fix prettier
- Add the ability to select if to show featured tags HOT 1
- Change the default logo
- Add Node 14.x to the CI HOT 1
- Make the version bump automatic
- Improve code quality for change log updater HOT 1
- Adding more details for NPM registry HOT 1
- Stop using personal user in the CD
- Update packages
- gatsby-image | Stop using sizes and move to fluid
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatsby-theme-admonation.