A webpack config tool chain.
- @best-shot/preset-asset
- @best-shot/preset-babel
- @best-shot/preset-react
- @best-shot/preset-style
- @best-shot/preset-vue
- @best-shot/preset-web
This project is inspired by neutrinojs.
A webpack config wrapper
License: MIT License
A webpack config tool chain.
This project is inspired by neutrinojs.
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/cli/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/cli/node_modules/minimist/package.json,/tmp/ws-scm/best-shot/packages/cli/node_modules/minimist/package.json,/tmp/ws-scm/best-shot/packages/cli/node_modules/minimist/package.json,/tmp/ws-scm/best-shot/packages/cli/node_modules/minimist/package.json,/tmp/ws-scm/best-shot/packages/cli/node_modules/minimist/package.json,/tmp/ws-scm/best-shot/packages/cli/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 8cae429b51e5cec3e9216d18427b6017b473bb7a
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.2
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):
Occurrences
lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):
• jest:24.9.0
└─ jest-cli:24.9.0
└─ jest-config:24.9.0
└─ jest-environment-jsdom:24.9.0
└─ jsdom:11.12.0
└─ data-urls:1.1.0
└─ whatwg-url:7.1.0
└─ lodash.sortby:4.7.0
└─ whatwg-url:6.5.0
└─ lodash.sortby:4.7.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/core/node_modules/serialize-javascript/package.json,/tmp/ws-scm/best-shot/packages/core/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: a8953d0b43d31e6060e766d5d41ffe989e9fe8c6
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):
Occurrences
lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-unicorn:9.1.1
└─ eslint-ast-utils:1.1.0
└─ lodash.get:4.4.2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/node_modules/figlet/examples/front-end/index.htm
Path to vulnerable library: /best-shot/node_modules/figlet/examples/front-end/index.htm
Dependency Hierarchy:
Found in HEAD commit: e42e3ebeb5ecd5c7903945143dfe941b96ec5692
The Easy Digital Downloads (EDD) Pushover Notifications extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Publish Date: 2019-10-23
URL: CVE-2015-9521
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-10-23
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82
marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Publish Date: 2019-07-15
URL: WS-2019-0169
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/812
Release Date: 2019-07-15
Fix Resolution: 0.6.2
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of marked:0.5.2 results in the following vulnerability(s):
Occurrences
marked:0.5.2 is a transitive dependency introduced by the following direct dependency(s):
• docsify-cli:4.3.0
└─ docsify:4.9.4
└─ marked:0.5.2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of lodash.camelcase:4.3.0 results in the following vulnerability(s):
Occurrences
lodash.camelcase:4.3.0 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-unicorn:9.1.1
└─ lodash.camelcase:4.3.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/mem/package.json
Dependency Hierarchy:
Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82
In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.
Publish Date: 2019-05-30
URL: WS-2018-0236
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744
Release Date: 2019-05-30
Fix Resolution: 4.0.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/node_modules/figlet/examples/front-end/index.htm
Path to vulnerable library: /best-shot/node_modules/figlet/examples/front-end/index.htm
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html
Path to vulnerable library: /best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html,/best-shot/node_modules/vm-browserify/example/run/index.html
Dependency Hierarchy:
Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.isboolean:3.0.3 results in the following vulnerability(s):
Occurrences
lodash.isboolean:3.0.3 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/stylelint-config:0.0.14
└─ stylelint-scss:3.13.0
└─ lodash.isboolean:3.0.3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of braces:1.8.5 results in the following vulnerability(s):
Occurrences
braces:1.8.5 is a transitive dependency introduced by the following direct dependency(s):
• docsify-cli:4.3.0
└─ livereload:0.7.0
└─ chokidar:1.7.0
└─ anymatch:1.3.2
└─ micromatch:2.3.11
└─ braces:1.8.5
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of lodash.camelcase:4.3.0 results in the following vulnerability(s):
Occurrences
lodash.camelcase:4.3.0 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-unicorn:9.1.1
└─ lodash.camelcase:4.3.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82
A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.
Publish Date: 2019-03-17
URL: WS-2019-0024
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1679550
Release Date: 2019-03-17
Fix Resolution: 0.6.1
Step up your Open Source Security Game with WhiteSource here
Extracting archives made easy
Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/decompress/package.json
Dependency Hierarchy:
Found in HEAD commit: 3bb086eec9a316bd798ebab9bec2ac54357eebff
decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.
Publish Date: 2020-03-08
URL: WS-2020-0044
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):
Occurrences
lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-unicorn:9.1.1
└─ eslint-ast-utils:1.1.0
└─ lodash.get:4.4.2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82
Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/550/versions
Release Date: 2019-01-24
Fix Resolution: 3.3.1
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.snakecase:4.1.1 results in the following vulnerability(s):
Occurrences
lodash.snakecase:4.1.1 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-unicorn:9.1.1
└─ lodash.snakecase:4.1.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/dot-prop/package.json,/tmp/ws-scm/best-shot/packages/preset-style/node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in HEAD commit: 51d30335ac709bc663f8c932fa24f78deb7abcda
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/node_modules/figlet/examples/front-end/index.htm
Path to vulnerable library: /best-shot/node_modules/figlet/examples/front-end/index.htm
Dependency Hierarchy:
Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@753d591
Release Date: 2019-03-25
Fix Resolution: Replace or update the following files: core.js, core.js
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):
Occurrences
debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-import:2.18.2
└─ eslint-import-resolver-node:0.3.2
└─ debug:2.6.9
└─ eslint-module-utils:2.4.1
└─ debug:2.6.9
└─ debug:2.6.9
• docsify-cli:4.3.0
└─ connect:3.7.0
└─ debug:2.6.9
└─ finalhandler:1.1.2
└─ debug:2.6.9
└─ docsify-server-renderer:4.9.1
└─ debug:2.6.9
└─ livereload:0.7.0
└─ chokidar:1.7.0
└─ readdirp:2.2.1
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ serve-static:1.14.1
└─ send:0.17.1
└─ debug:2.6.9
• jest:24.9.0
└─ jest-cli:24.9.0
└─ @jest/core:24.9.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ @jest/transform:24.9.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ jest-haste-map:24.9.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ sane:4.1.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ jest-message-util:24.9.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ jest-config:24.9.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
• nodemon:1.19.2
└─ chokidar:2.1.8
└─ anymatch:2.0.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ undefsafe:2.0.2
└─ debug:2.6.9
• webpack:4.40.2
└─ watchpack:1.6.0
└─ chokidar:2.1.8
└─ anymatch:2.0.0
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ micromatch:3.1.10
└─ snapdragon:0.8.2
└─ debug:2.6.9
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 7e63708c8ad3a0eb621e66e23ba61b9b9091c8ef
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.snakecase:4.1.1 results in the following vulnerability(s):
Occurrences
lodash.snakecase:4.1.1 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-unicorn:9.1.1
└─ lodash.snakecase:4.1.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/is-data-descriptor/node_modules/kind-of/package.json,/tmp/ws-scm/best-shot/packages/preset-style/node_modules/is-data-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/has-values/node_modules/kind-of/package.json,/tmp/ws-scm/best-shot/packages/preset-style/node_modules/has-values/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/kind-of/package.json,/tmp/ws-scm/best-shot/packages/preset-style/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/preset-style/node_modules/is-descriptor/node_modules/kind-of/package.json,/tmp/ws-scm/best-shot/packages/preset-style/node_modules/is-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: 0870141f23f0f6d1ea27c0f452cd606a07bc6342
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Step up your Open Source Security Game with WhiteSource here
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/livereload/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82
Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2019-03-25
URL: WS-2019-0019
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/786
Release Date: 2019-02-21
Fix Resolution: 2.3.1
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):
Occurrences
lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):
• jest:24.9.0
└─ jest-cli:24.9.0
└─ jest-config:24.9.0
└─ jest-environment-jsdom:24.9.0
└─ jsdom:11.12.0
└─ data-urls:1.1.0
└─ whatwg-url:7.0.0
└─ lodash.sortby:4.7.0
└─ whatwg-url:6.5.0
└─ lodash.sortby:4.7.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/sockjs/examples/echo/index.html
Path to vulnerable library: /best-shot/packages/dev-server/node_modules/sockjs/examples/echo/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/express-3.x/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/express/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/hapi/html/index.html,/best-shot/packages/dev-server/node_modules/sockjs/examples/multiplex/index.html
Dependency Hierarchy:
Found in HEAD commit: d55971df321316923fe09935f3912bd976b5c8da
In jQuery before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-3.0.1.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/mem/package.json
Dependency Hierarchy:
Found in HEAD commit: cf2ae09d8554a43375c2ecb58fb7129a9df6f4fe
Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.
Publish Date: 2019-12-01
URL: WS-2019-0307
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2019-12-01
Fix Resolution: mem - 4.0.0
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: f98bcd3402d2bc1b4a7a01da891e5f6d6c31fb6c
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html
Path to vulnerable library: /best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html,/best-shot/node_modules/vm-browserify/example/run/index.html
Dependency Hierarchy:
Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/marked/package.json
Dependency Hierarchy:
Found in HEAD commit: e53a666fb0265cd6a72b869c0cf1dd16e2abfa82
marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.
Publish Date: 2019-09-05
URL: WS-2019-0209
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1076
Release Date: 2019-09-05
Fix Resolution: 0.7.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/node_modules/figlet/examples/front-end/index.htm
Path to vulnerable library: /best-shot/node_modules/figlet/examples/front-end/index.htm
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html
Path to vulnerable library: /best-shot/packages/cli/node_modules/vm-browserify/example/run/index.html,/best-shot/node_modules/vm-browserify/example/run/index.html
Dependency Hierarchy:
Found in HEAD commit: 27596f8f3bf52ec7ede6b04a3d0c2c9d8d9d9b50
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerabilities
DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):
Occurrences
debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/eslint-config-base:0.0.4
└─ eslint-plugin-import:2.18.2
└─ eslint-import-resolver-node:0.3.2
└─ debug:2.6.9
└─ eslint-module-utils:2.4.1
└─ debug:2.6.9
└─ debug:2.6.9
• docsify-cli:4.4.0
└─ connect:3.7.0
└─ debug:2.6.9
└─ finalhandler:1.1.2
└─ debug:2.6.9
└─ docsify-server-renderer:4.9.1
└─ debug:2.6.9
└─ serve-static:1.14.1
└─ send:0.17.1
└─ debug:2.6.9
• nodemon:2.0.0
└─ undefsafe:2.0.2
└─ debug:2.6.9
• webpack:4.41.2
└─ micromatch:3.1.10
└─ extglob:2.0.4
└─ expand-brackets:2.1.4
└─ debug:2.6.9
└─ snapdragon:0.8.2
└─ debug:2.6.9
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of lodash.isstring:4.0.1 results in the following vulnerability(s):
Occurrences
lodash.isstring:4.0.1 is a transitive dependency introduced by the following direct dependency(s):
• @nice-move/stylelint-config:0.0.14
└─ stylelint-scss:3.13.0
└─ lodash.isstring:4.0.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of marked:0.5.2 results in the following vulnerability(s):
Occurrences
marked:0.5.2 is a transitive dependency introduced by the following direct dependency(s):
• docsify:4.9.4
└─ marked:0.5.2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/preset-style/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/lodash/package.json,/tmp/ws-scm/best-shot/packages/dev-server/node_modules/lodash/package.json,/best-shot/packages/dev-server/node_modules/lodash/package.json,/best-shot/packages/dev-server/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 686f0921735bf909d78b591cd08995e46826027a
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /tmp/ws-scm/best-shot/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 399375ae76f002a0bacca7efe96f39db0b0ecd49
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
These updates await pending status checks. To force their creation now, click the checkbox below.
@babel/core
, @babel/plugin-transform-react-constant-elements
, @babel/plugin-transform-react-inline-elements
, @babel/preset-react
, @babel/preset-typescript
).github/workflows/bring-it.yaml
package.json
react ~18.3.1
react-dom ~18.3.1
vue ^3.4.27
@babel/core ^7.24.5
@bring-it/npm ^0.5.4
@nice-move/cli ^0.11.12
@nice-move/eslint-config-base ^0.11.8
@nice-move/prettier-config ^0.12.3
@nice-move/stylelint-config ^0.10.6
@nice-move/syncpack-config ^0.1.3
@nice-move/tsconfig ^0.2.3
ava ^6.1.3
eslint ^8.57.0
eslint-plugin-ava ^14.0.0
garou ^0.7.5
nodemon ^3.1.0
prettier ^3.2.5
stylelint ^16.5.0
syncpack ^12.3.2
typescript ~5.4.5
webpack ^5.91.0
pnpm 9.1.1
packages/analyzer/package.json
webpack-bundle-analyzer ^4.10.2
packages/best-shot/package.json
terser ^5.31.0
terser-webpack-plugin ^5.3.10
webpack ^5.91.0
yaml-loader ^0.8.1
packages/cli/package.json
chalk ^5.3.0
cheetor ^0.13.0
webpackbar ^6.0.1
packages/config/package.json
chalk ^5.3.0
prompts ^2.4.2
packages/core/package.json
@best-shot/webpack-chain ^8.1.5
browserslist ^4.23.0
case-sensitive-paths-webpack-plugin ^2.4.0
chalk ^5.3.0
copy-webpack ^4.2.0
deepmerge ^4.3.1
ext-to-regexp ^0.1.0
json-minimizer-webpack-plugin ^5.0.0
slash ^5.1.0
slash-to-regexp ^0.0.4
terser ^5.31.0
terser-webpack-plugin ^5.3.10
yaml-loader ^0.8.1
packages/dev-server/package.json
chalk ^5.3.0
ejs ^3.1.10
express ^4.19.2
launch-editor-middleware ^2.6.1
webpack-dev-server ^5.0.4
webpack-dev-server-waitpage ^3.0.0
packages/env/package.json
@ltd/j-toml ^1.38.0
chalk ^5.3.0
flat ^6.0.1
ini ^4.1.2
yaml ^2.4.2
packages/inspector/package.json
fs-extra ^11.2.0
javascript-stringify ^2.1.0
sort-keys ^5.0.0
packages/no-cache-loader/package.json
packages/preset-asset/package.json
@astropub/codecs ^0.4.4
@sindresorhus/transliterate ^1.6.0
@volue/wasm-codecs-gifsicle ^1.0.0
ext-to-regexp ^0.1.0
image-minimizer-webpack-plugin ^4.0.0
svgo ^3.3.2
svgo-config ^0.7.0
packages/preset-babel/package.json
@babel/preset-typescript ^7.24.1
babel-loader ^9.1.3
babel-preset-evergreen ^0.9.15
browserslist ^4.23.0
ext-to-regexp ^0.1.0
slash-to-regexp ^0.0.4
packages/preset-react/package.json
@babel/plugin-transform-react-constant-elements ^7.24.1
@babel/plugin-transform-react-inline-elements ^7.24.1
@babel/preset-react ^7.24.1
@pmmmwh/react-refresh-webpack-plugin ^0.5.13
babel-plugin-transform-react-remove-prop-types ^0.4.24
react-refresh ^0.14.2
settingz ^0.2.0
packages/preset-style/package.json
css-loader ^7.1.1
css-minimizer-webpack-plugin ^7.0.0
cssnano ^7.0.1
ext-to-regexp ^0.1.0
less ^4.2.0
less-loader ^12.2.0
mini-css-extract-plugin ^2.9.0
postcss ^8.4.38
postcss-loader ^8.1.1
postcss-preset-evergreen ^0.5.9
resolve-url-loader ^5.0.0
sass ^1.77.1
sass-loader ^14.2.1
settingz ^0.2.0
slash-to-regexp ^0.0.4
style-loader ^4.0.0
packages/preset-vue/package.json
@best-shot/vue-loader 17.4.3
css-loader ^7.1.1
ext-to-regexp ^0.1.0
packages/preset-web/package.json
ext-to-regexp ^0.1.0
html-add-asset-webpack-plugin ^0.2.0
html-minimizer-webpack-plugin ^5.0.0
html-webpack-plugin ^5.6.0
micro-tpl-loader ^0.1.0
slash ^5.1.0
slash-to-regexp ^0.0.4
suffix ^1.0.0
webpack-subresource-integrity 5.2.0-rc.1
packages/validator/package.json
ajv ^8.13.0
ajv-formats ^3.0.1
ajv-keywords ^5.1.0
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/best-shot/packages/dev-server/package.json
Path to vulnerable library: /tmp/ws-scm/best-shot/packages/dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 678f34f88b46ed64a2e6bc8f1e87a619d618f179
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
Step up your Open Source Security Game with WhiteSource here
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.