exadel-inc / esl Goto Github PK
View Code? Open in Web Editor NEWLightweight and flexible UI component library based on web components technology for creating basic UX modules
Home Page: https://esl-ui.com
License: MIT License
esl's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
smiakchilo onyinye91-ctrl ek-tereshko aswinidev rtkimz alexrogalskiy dorucioclea the7day henadzvesl's Issues
GH Pages: HTML minifier and prod build for assets
- Add html content minifier for GH Pages output
- Check that the CSS and JS of the pages are optimized
CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
- ❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
Step up your Open Source Security Game with WhiteSource here
ESL Media Query support for complex expressions
Add ability to define ESL Media Queries with a single or multiple 'not' operator, and "and"/"or" conditions
Examples
not @xs,
not (hover: none)
@xs and not @ie
not (max-width: 800) or not (max-height: 800)
CVE-2021-33502 (High) detected in normalize-url-6.0.0.tgz - autoclosed
CVE-2021-33502 - High Severity Vulnerability
Vulnerable Library - normalize-url-6.0.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-6.0.0.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/normalize-url/package.json
Dependency Hierarchy:
- npm-7.1.3.tgz (Root Library)
- ❌ normalize-url-6.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 1364af76a5542500c86b186babcd6a2ca000efc9
Found in base branch: main
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23364 (Medium) detected in browserslist-4.16.3.tgz - autoclosed
CVE-2021-23364 - Medium Severity Vulnerability
Vulnerable Library - browserslist-4.16.3.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/browserslist/package.json
Dependency Hierarchy:
- webpack-5.37.1.tgz (Root Library)
- ❌ browserslist-4.16.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11023 (Medium) detected in jquery-3.3.1.slim.min.js, jquery-1.8.1.min.js
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-3.3.1.slim.min.js, jquery-1.8.1.min.js
jquery-3.3.1.slim.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Path to dependency file: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Path to vulnerable library: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Dependency Hierarchy:
- ❌ jquery-3.3.1.slim.min.js (Vulnerable Library)
jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
- ❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
GH Pages: setup a sitemap generator
Setup sitemap generation template for ESL demo site pages
GHPages: come up with and integrate syntax to exclude certain parts of docs from page rendering
As an ESL contributor, I want to be able to exclude certain parts of markdown from 11ty page rendering.
CVE-2021-23368 (Medium) detected in postcss-7.0.35.tgz - autoclosed
CVE-2021-23368 - Medium Severity Vulnerability
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/autoprefixer/node_modules/postcss/package.json,esl/node_modules/postcss-scss/node_modules/postcss/package.json,esl/node_modules/postcss-safe-parser/node_modules/postcss/package.json,esl/node_modules/postcss-sass/node_modules/postcss/package.json,esl/node_modules/postcss-less/node_modules/postcss/package.json,esl/node_modules/stylelint/node_modules/postcss/package.json,esl/node_modules/sugarss/node_modules/postcss/package.json
Dependency Hierarchy:
- stylelint-13.13.0.tgz (Root Library)
- sugarss-2.0.0.tgz
- ❌ postcss-7.0.35.tgz (Vulnerable Library)
- sugarss-2.0.0.tgz
Found in HEAD commit: fea7edcd7d1370e2680785c3b1f8dbad4d63b1c7
Found in base branch: main
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
ESLPopup: positioning feature
As an ESL tech architect, I want to
- see flexible mechanism of the position definition for ESLPopup
- support different strategies of positioning ESLPopup
[🚀 esl-utils]: extend utils with a deep merge method
Add a deep merge utility to the esl-utils module
deepMerge({a: 1, b: {a: 1}}, {a: 2, b: {b: 2}, c: 3}) // {a: 2, b: {a: 1, b: 2}, c: 3}
CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
- ❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23368 (Medium) detected in postcss-7.0.35.tgz - autoclosed
CVE-2021-23368 - Medium Severity Vulnerability
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/autoprefixer/node_modules/postcss/package.json,esl/node_modules/postcss-scss/node_modules/postcss/package.json,esl/node_modules/postcss-safe-parser/node_modules/postcss/package.json,esl/node_modules/postcss-sass/node_modules/postcss/package.json,esl/node_modules/postcss-less/node_modules/postcss/package.json,esl/node_modules/stylelint/node_modules/postcss/package.json,esl/node_modules/sugarss/node_modules/postcss/package.json
Dependency Hierarchy:
- stylelint-13.13.1.tgz (Root Library)
- sugarss-2.0.0.tgz
- ❌ postcss-7.0.35.tgz (Vulnerable Library)
- sugarss-2.0.0.tgz
Found in HEAD commit: f4ed690da6b66d24ec5574913d6c5ac2ca38d2eb
Found in base branch: main
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution: postcss -8.2.10
Step up your Open Source Security Game with WhiteSource here
CVE-2019-8331 (Medium) detected in bootstrap-4.1.3.min.js
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-4.1.3.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/js/bootstrap.min.js
Path to dependency file: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Path to vulnerable library: esl/node_modules/@exadel/server-sketch/views/layouts/localdev-theme.html
Dependency Hierarchy:
- ❌ bootstrap-4.1.3.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23382 (Medium) detected in postcss-7.0.35.tgz - autoclosed
CVE-2021-23382 - Medium Severity Vulnerability
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/autoprefixer/node_modules/postcss/package.json,esl/node_modules/postcss-scss/node_modules/postcss/package.json,esl/node_modules/postcss-safe-parser/node_modules/postcss/package.json,esl/node_modules/postcss-sass/node_modules/postcss/package.json,esl/node_modules/postcss-less/node_modules/postcss/package.json,esl/node_modules/stylelint/node_modules/postcss/package.json,esl/node_modules/sugarss/node_modules/postcss/package.json
Dependency Hierarchy:
- stylelint-13.13.1.tgz (Root Library)
- sugarss-2.0.0.tgz
- ❌ postcss-7.0.35.tgz (Vulnerable Library)
- sugarss-2.0.0.tgz
Found in HEAD commit: f4ed690da6b66d24ec5574913d6c5ac2ca38d2eb
Found in base branch: main
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution: postcss - 8.2.13
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23362 (Medium) detected in hosted-git-info-2.8.8.tgz - autoclosed
CVE-2021-23362 - Medium Severity Vulnerability
Vulnerable Library - hosted-git-info-2.8.8.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/eslint-plugin-import/node_modules/hosted-git-info/package.json,esl/node_modules/read-pkg/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
- eslint-plugin-import-2.22.1.tgz (Root Library)
- read-pkg-up-2.0.0.tgz
- read-pkg-2.0.0.tgz
- normalize-package-data-2.5.0.tgz
- ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)
- normalize-package-data-2.5.0.tgz
- read-pkg-2.0.0.tgz
- read-pkg-up-2.0.0.tgz
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
Fix GH Pages meta viewport tag
- Add a correct meta viewport tag
- Fix related alignment and adaptiveness support issues
[🚀]: Add 'container query' like syntax support for ESLImage
As an ESLImage consumer, I want to be able to define image sources per container query instead of a browser window Media Query.
Container Query defines sizes condition such as min-height, max-width, etc per current element size.
That means that query ~'(min-width: 400px)' acepst if the current image element takes more the a 400px wide.
GH Pages: Setup MD renderer for GH Pages
As a ESL contributor, I want to be able to use Markdown syntax as a primary content source on ESL demo site.
Note: It will be nice to be able to refer to existing documentation in the src directory.
[🚀esl-footnotes]: Tooltip + Popup + Note + Footnote: A11ty revision
As an ESL Tooltip, Popup, Note and Footnote consumer, I want to make these components easier for as many people as possible by creating helpful accessible product.
WS-2019-0425 (Medium) detected in mocha-2.5.3.min.js
WS-2019-0425 - Medium Severity Vulnerability
Vulnerable Library - mocha-2.5.3.min.js
simple, flexible, fun test framework
Library home page: https://cdnjs.cloudflare.com/ajax/libs/mocha/2.5.3/mocha.min.js
Path to dependency file: esl/node_modules/intersection-observer/intersection-observer-test.html
Path to vulnerable library: esl/node_modules/intersection-observer/intersection-observer-test.html
Dependency Hierarchy:
- ❌ mocha-2.5.3.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: v6.0.0
Release Date: 2020-05-07
Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559
Step up your Open Source Security Game with WhiteSource here
ESL Media Query API extendtion
Extend ESL Media Query API with the following methods and updates:
- add
formethod to easily get cached ESLMediaQuery (ESLMediaQuery.for('@xs').matches) - remove / or move to the proper place
ignoreBotDprmarker - optimize caching and parsing
(Optional) Add separate ESLBreakpoint utility to manage breakpoint aliases and related extra API
E.g.:
ESLBreakpoints.names
ESLBreakpoints.get('xs')
ESLBreakpoints.current
CVE-2021-27290 (High) detected in ssri-6.0.1.tgz - autoclosed
CVE-2021-27290 - High Severity Vulnerability
Vulnerable Library - ssri-6.0.1.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/npm/node_modules/ssri/package.json
Dependency Hierarchy:
- npm-7.0.10.tgz (Root Library)
- npm-6.14.12.tgz
- ❌ ssri-6.0.1.tgz (Vulnerable Library)
- npm-6.14.12.tgz
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
Release Date: 2021-03-12
Fix Resolution: v8.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28502 (High) detected in xmlhttprequest-ssl-1.5.5.tgz - autoclosed
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- browser-sync-2.26.14.tgz (Root Library)
- browser-sync-ui-2.26.14.tgz
- socket.io-client-2.4.0.tgz
- engine.io-client-3.5.1.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.5.1.tgz
- socket.io-client-2.4.0.tgz
- browser-sync-ui-2.26.14.tgz
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution: xmlhttprequest - 1.7.0,xmlhttprequest-ssl - 1.6.2
Step up your Open Source Security Game with WhiteSource here
Bug: TS types are missing for document.createElement default ESL tag names
As an ESL consumer, I want to have an optional type extension for document.createElement with default ESL tag names.
Example
const el: ESLToggleable = document.createElement('esl-toggleable'); // type errorExpected behavior
const el: ESLToggleable = document.createElement('esl-toggleable');Environment
- TypeScript
Update ESL Media Query with a new shortcuts
Add support for the following list of conditions to the ESLMediaQuery:
- Devices types shortcuts (
@bot,@desktop,@mobile) - Browsers/engines (
@ie,@blink,@gecko) - Touch support (
@touch)
Add ability to define user's custom shortcuts for string media queries, simple static conditions, "replacers" functions
Shortcuts.add('nohover', '(hover: none)')
Shortcuts.add('touch', DeviceDetector.isTouch)
Shortcuts.add(\(x|m|l)-size\, (match, group1) => 'media query')
GHPages: final ESL Scrollbar documentation update
Update ESL Scrollbar README.md with the
- detailed description
- SEO updates
- latest API
Create GHPages page based on md content.
ESL Utils: extend dom/keys utils
As an ESL Utils consumer, I want to be able to use Delete/Backspace key values.
ESL Tabs + ESL Panel: demo pages
As an ESL Tabs and ESL Panel consumer, I want to be able to play with the components and try the features out.
[🔨 lint]: consider html-lint plugin integration
As an ESL contributor, I may feel much more comfortable if my markup code HTML (.njk) linted smarter than just lint-space does.
Open questions:
- do the lint plugin support njk and partial structure?
- do we have the lint plugin with light dependencies (something like phntomjs is overweight right now in our case)?
CVE-2021-33623 (High) detected in trim-newlines-3.0.0.tgz - autoclosed
CVE-2021-33623 - High Severity Vulnerability
Vulnerable Library - trim-newlines-3.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/trim-newlines/package.json
Dependency Hierarchy:
- stylelint-13.13.1.tgz (Root Library)
- meow-9.0.0.tgz
- ❌ trim-newlines-3.0.0.tgz (Vulnerable Library)
- meow-9.0.0.tgz
Found in HEAD commit: 1364af76a5542500c86b186babcd6a2ca000efc9
Found in base branch: main
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Step up your Open Source Security Game with WhiteSource here
[🚀 build]: min versions of css in the library output
There is no minified version of stiles in the ESL build output.
Expected behavior
*.min.css files presented in the library output
GH Pages: Landing Page Redesign
Update GH pages content on the Homepage.
- redesign
- make 3.0.0 related updates
- typo fixes & redesign
- #636
[🚀site]: Popup + Tooltip: demo pages
As an ESL Footnotes and ESL Tooltip consumer, I want to be able to play with the components and try the features out.
ESL Scrollbar: full RTL support
As an ESL Scrollbar consumer, I want to be able to use horizontal scrollbar instances inside of RTL direction context.
As an ESL tech architect, I want to have short and clear inner logic for the ESL Scrollbar after the update, as it available right now.
CVE-2020-36048 (High) detected in engine.io-3.5.0.tgz - autoclosed
CVE-2020-36048 - High Severity Vulnerability
Vulnerable Library - engine.io-3.5.0.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
- browser-sync-2.27.7.tgz (Root Library)
- socket.io-2.4.0.tgz
- ❌ engine.io-3.5.0.tgz (Vulnerable Library)
- socket.io-2.4.0.tgz
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution: engine.io - 4.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed
CVE-2020-7774 - High Severity Vulnerability
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/npm/node_modules/y18n/package.json
Dependency Hierarchy:
- npm-7.0.10.tgz (Root Library)
- npm-6.14.11.tgz
- cacache-12.0.3.tgz
- ❌ y18n-4.0.0.tgz (Vulnerable Library)
- cacache-12.0.3.tgz
- npm-6.14.11.tgz
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
Release Date: 2020-11-17
Fix Resolution: 5.0.5
Step up your Open Source Security Game with WhiteSource here
ESL Footnote & ESL Note components
Add new ESL Footnote and ESL Note components to manage page footnotes feature.
ESL Note is an inline text component to define text footnote.
Lorem ipsum<esl-note>some extra note</esl-note>
ESL Footnote is a component to define a notes area and collect notes content.
ESL Notes in bounds of ESLFootnote area replaces its content with a sequential number and place it's content inside ESL Footnote container.
User should be able to see ESL Note content on hover or click on the ESL Note instance inside the Tooltip.
User also should be able to move to the note from the footnotes container.
[🚩gh-pages]: UIPlayground integration
Integrate the upcoming @exadel/ui-playground library into ESL GHPages demo site.
-
✅ I Iteration: Initial
- create a loading bundle for ui-playground
- create a loading mechanism for ui-playground
- migrate (on draft page) the "Example: Accordion" page to ui-playground
- migrate (on draft page) the "Example: Media (Audio / Media)" page to ui-playground
- migrate (on draft page) the "Example: Scrollbar" page to ui-palayground
- place links from current pages to drafts
-
UX is under discussion
POC: ESL Popup (beta) update
Add(replace) ESLPopup with an ESL Toggleable implementation, with the following abilities:
- manage its DOM placement (automatically move to the body in the active state)
- auto-positioning relatively to the activator(trigger)
- (optional) arrow support
- ability to chose behavior (optional avoiding instance overflow) and placement (top/bottom/left/right/center)
Add new GH Pages documentation
Add documentation and guides regarding the new 11ty based GH Pages
CVE-2021-31597 (High) detected in xmlhttprequest-ssl-1.5.5.tgz - autoclosed
CVE-2021-31597 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
- browser-sync-2.26.14.tgz (Root Library)
- browser-sync-ui-2.26.14.tgz
- socket.io-client-2.4.0.tgz
- engine.io-client-3.5.1.tgz
- ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
- engine.io-client-3.5.1.tgz
- socket.io-client-2.4.0.tgz
- browser-sync-ui-2.26.14.tgz
Found in base branch: main
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution: xmlhttprequest-ssl - 1.6.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz - autoclosed
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/path-parse/package.json
Dependency Hierarchy:
- eslint-plugin-import-2.23.4.tgz (Root Library)
- resolve-1.20.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.20.0.tgz
Found in HEAD commit: f4ed690da6b66d24ec5574913d6c5ac2ca38d2eb
Found in base branch: main
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz - autoclosed
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/path-parse/package.json
Dependency Hierarchy:
- eslint-plugin-import-2.22.1.tgz (Root Library)
- resolve-1.20.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.20.0.tgz
Found in HEAD commit: fea7edcd7d1370e2680785c3b1f8dbad4d63b1c7
Found in base branch: main
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with WhiteSource here
CVE-2021-32640 (Medium) detected in ws-7.4.4.tgz - autoclosed
CVE-2021-32640 - Medium Severity Vulnerability
Vulnerable Library - ws-7.4.4.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.4.tgz
Path to dependency file: esl/package.json
Path to vulnerable library: esl/node_modules/ws/package.json
Dependency Hierarchy:
- browser-sync-2.26.14.tgz (Root Library)
- socket.io-2.4.0.tgz
- engine.io-3.5.0.tgz
- ❌ ws-7.4.4.tgz (Vulnerable Library)
- engine.io-3.5.0.tgz
- socket.io-2.4.0.tgz
Found in HEAD commit: 1364af76a5542500c86b186babcd6a2ca000efc9
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
ESL Tooltip (beta) component
Add a new ESLToggleable based component with the following list of features:
- showing a small piece of HTML content inside an absolutely positioned area
- should automatically move itself to the body on show
- should be auto-positioned relatively to the activator/anchor
- should support "arrow" decoration to the side of activator placement
- should have a shared instance to be called by static
showfunction
ESL Utils: provide window utils
As an ESL Utils consumer, I want to be able to use window utils.
As an ESL tech architect, I want to extend ESL Utils with window utils such as windowY, windowX, windowWidth (position utils).
Touch devices: popup remains open when user swipes even with closeOnBodyClick set to true
CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
- ❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.8.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js
Path to dependency file: esl/node_modules/redeyed/examples/browser/index.html
Path to vulnerable library: esl/node_modules/redeyed/examples/browser/index.html
Dependency Hierarchy:
- ❌ jquery-1.8.1.min.js (Vulnerable Library)
Found in HEAD commit: 53908c2bc68618361e9a339520df6c980f468de2
Found in base branch: main
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.