billmcchesney1 / batch Goto Github PK
View Code? Open in Web Editor NEWThis project forked from visionmedia/batch
Simple async batch with concurrency control and progress reporting
License: MIT License
This project forked from visionmedia/batch
Simple async batch with concurrency control and progress reporting
License: MIT License
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (nyc): 14.0.0
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 5.15.2
⛑️ Automatic Remediation will be attempted for this issue.
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-unparser/node_modules/yargs-parser/package.json,/node_modules/nyc/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (mocha): 6.2.3
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (mocha): 6.2.3
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.
Publish Date: 2019-12-20
URL: CVE-2019-19919
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w457-6q6x-cgp9
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.12.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in base branch: master
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Publish Date: 2020-09-30
URL: CVE-2019-20920
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2020-10-15
Fix Resolution (handlebars): 4.5.3
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: batch/package.json
Path to vulnerable library: batch/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-14
URL: WS-2019-0493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-11-14
Fix Resolution: handlebars - 3.0.8,4.5.2
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/inquirer/node_modules/ansi-regex/package.json,/node_modules/yargs/node_modules/ansi-regex/package.json,/node_modules/table/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (eslint): 5.15.2
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (eslint): 5.15.2
⛑️ Automatic Remediation will be attempted for this issue.
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (nyc): 14.0.0
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 5.15.2
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: batch/package.json
Path to vulnerable library: batch/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-11-17
URL: WS-2019-0332
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/word-wrap/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution (word-wrap): 1.2.4
Direct dependency fix Resolution (eslint): 5.15.2
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Publish Date: 2019-01-30
URL: WS-2019-0064
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/755/
Release Date: 2019-01-30
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/node_modules/minimist/package.json,/node_modules/nyc/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (mocha): 6.2.3
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (nyc): 14.0.0
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/node_modules/minimist/package.json,/node_modules/nyc/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (mocha): 6.2.3
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (eslint): 5.15.2
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: batch/package.json
Path to vulnerable library: batch/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-19
URL: WS-2019-0492
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-11-19
Fix Resolution: handlebars - 3.0.8,4.5.3
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: master
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/async/package.json
Dependency Hierarchy:
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in base branch: master
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in base branch: master
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (nyc): 14.0.0
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Take a nested Javascript object and flatten it, or unflatten an object with delimited keys
Library home page: https://registry.npmjs.org/flat/-/flat-4.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/flat/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
Publish Date: 2022-12-25
URL: CVE-2020-36632
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2020-36632
Release Date: 2022-12-25
Fix Resolution (flat): 5.0.1
Direct dependency fix Resolution (mocha): 8.2.0
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-6.1.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/package.json
Dependency Hierarchy:
Found in base branch: master
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: 2021-09-18
URL: WS-2021-0638
Base Score Metrics:
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: batch/package.json
Path to vulnerable library: batch/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-13
URL: WS-2019-0331
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.
Publish Date: 2020-09-30
URL: CVE-2019-20922
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2020-09-30
Fix Resolution (handlebars): 4.4.5
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-3.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gxpj-cx7g-858c
Release Date: 2018-04-26
Fix Resolution (debug): 3.2.7
Direct dependency fix Resolution (mocha): 8.1.2
Fix Resolution (debug): 3.2.7
Direct dependency fix Resolution (nyc): 14.0.0
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/istanbul-lib-instrument/node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
Found in base branch: master
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 6.3.1
Direct dependency fix Resolution (eslint): 5.15.2
⛑️ Automatic Remediation will be attempted for this issue.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in base branch: master
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/async/package.json
Dependency Hierarchy:
Found in base branch: master
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.
Publish Date: 2024-07-01
URL: CVE-2024-39249
Base Score Metrics:
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: batch/package.json
Path to vulnerable library: batch/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.
Publish Date: 2019-11-18
URL: WS-2019-0333
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: batch/package.json
Path to vulnerable library: batch/node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.
Publish Date: 2019-10-20
URL: WS-2019-0318
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1300
Release Date: 2019-12-01
Fix Resolution: handlebars - 4.4.5
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a67978a545e260e0f749a65f571026d3018783
Found in base branch: master
Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).
Publish Date: 2020-01-09
URL: WS-2020-0450
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-09
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (nyc): 14.0.0
⛑️ Automatic Remediation will be attempted for this issue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.