GithubHelp home page GithubHelp logo

scriptex / animateme Goto Github PK

View Code? Open in Web Editor NEW
12.0 3.0 2.0 1.19 MB

Reveal DOM elements as you scroll

Home Page: https://animate-me.atanas.info

License: MIT License

TypeScript 80.81% CSS 19.19%
scroll-events scroll-animations

animateme's Introduction

Hi, I'm Atanas ๐Ÿ‘‹ Total profile views Analytics

My open source software is published on NPM and has been downloaded this many times in the past year:

NPM Stats

Here is a bit more detailed graph showing my open source contributions in the past year:

GitHub stats

Wondering how to pronounce my name? Not anymore!

Connect with me:

ย  ย  ย  ย  ย  ย  ย  ย  ย  ย  ย 
Support and sponsor my work:

animateme's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

pvalchev delta94

animateme's Issues

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /AnimateMe/package.json

Path to vulnerable library: /tmp/git/AnimateMe/node_modules/lodash/package.json

Dependency Hierarchy:

  • @babel/cli-7.5.0.tgz (Root Library)
    • โŒ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 122c18a40e27192676945bd05c469ea3a36baa7e

Vulnerability Details

A Prototype Pollution vulnerability was found in lodash through version 4.17.11.

Publish Date: 2019-07-08

URL: CVE-2019-10744

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44906 (Medium) detected in minimist-1.2.5.tgz

CVE-2021-44906 - Medium Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • release-it-14.13.0.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • registry-url-5.1.0.tgz
            • rc-1.2.8.tgz
              • โŒ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: d65d37f6b24ed74a3bfe302093361caa78536613

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Release Date: 2022-03-17

Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/lodash/package.json

Dependency Hierarchy:

  • release-it-14.4.1.tgz (Root Library)
    • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 4c1e2c634db79cd7267acafaf4b0f7cd5461dd33

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

WS-2020-0070 (High) detected in lodash-4.17.15.tgz

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.8.4.tgz (Root Library)
    • โŒ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: bbf742371ca48f55212a5f6af9a3592898bc4375

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

How to "destroy" animations?

Is there any way to disable AnimateMe after it has been applied?

Similarly, skrollr has: skrollr.init().destroy();

CVE-2021-44907 (Medium) detected in qs-6.10.1.tgz

CVE-2021-44907 - Medium Severity Vulnerability

Vulnerable Library - qs-6.10.1.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • release-it-14.13.0.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz
          • parse-path-4.0.3.tgz
            • โŒ qs-6.10.1.tgz (Vulnerable Library)

Found in HEAD commit: d65d37f6b24ed74a3bfe302093361caa78536613

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;cloudscribe.templates - 5.2.0;KnstAsyncApiUI - 1.0.2-pre;Romano.Vue - 1.0.1;Yarnpkg.Yarn - 0.26.1;VueJS.NetCore - 1.1.1;NativeScript.Sidekick.Standalone.Shell - 1.9.1-v2018050205;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.2;Fable.Template.Elmish.React - 0.1.6;Fable.Snowpack.Template - 2.1.0;Yarn.MSBuild - 0.22.0,0.24.6

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/lodash/package.json

Dependency Hierarchy:

  • release-it-14.4.1.tgz (Root Library)
    • โŒ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 4c1e2c634db79cd7267acafaf4b0f7cd5461dd33

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.11.1.min.js, jquery-1.12.4.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.11.1.min.js, jquery-1.12.4.min.js

jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/compiler-skeleton.html

Path to vulnerable library: /AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/compiler-skeleton.html

Dependency Hierarchy:

  • โŒ jquery-1.11.1.min.js (Vulnerable Library)
jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/index.html

Path to vulnerable library: /AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/index.html,/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es5/skeleton.html

Dependency Hierarchy:

  • โŒ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: 8195843b5d64a21b9a0c00753c65dc738dd7e968

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • release-it-14.12.1.tgz (Root Library)
    • globby-11.0.4.tgz
      • fast-glob-3.2.7.tgz
        • โŒ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 95418d542f2e4ea6cf38900a561f7a54b1497093

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: gulpjs/glob-parent#49

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.11.1.min.js, jquery-1.12.4.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.11.1.min.js, jquery-1.12.4.min.js

jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/compiler-skeleton.html

Path to vulnerable library: /AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/compiler-skeleton.html

Dependency Hierarchy:

  • โŒ jquery-1.11.1.min.js (Vulnerable Library)
jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/index.html

Path to vulnerable library: /AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/index.html,/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es5/skeleton.html

Dependency Hierarchy:

  • โŒ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: 8195843b5d64a21b9a0c00753c65dc738dd7e968

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23343 (Medium) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - Medium Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/path-parse/package.json,AnimateMe/node_modules/path-parse

Dependency Hierarchy:

  • release-it-14.6.2.tgz (Root Library)
    • shelljs-0.8.4.tgz
      • rechoir-0.6.2.tgz
        • resolve-1.19.0.tgz
          • โŒ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: cd3091d7c07e4851cad7349b398737af73dfce95

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • babel-minify-0.5.1.tgz (Root Library)
    • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: aca3ba6a574fbdd8af527d2793a455cd3032dcf3

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Step up your Open Source Security Game with WhiteSource here

Export using UMD

Use Webpack to build and export for all environments using the UMD pattern

CVE-2021-33502 (High) detected in normalize-url-4.5.0.tgz, normalize-url-3.3.0.tgz

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-4.5.0.tgz, normalize-url-3.3.0.tgz

normalize-url-4.5.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/normalize-url

Dependency Hierarchy:

  • release-it-14.8.0.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • got-9.6.0.tgz
            • cacheable-request-6.1.0.tgz
              • โŒ normalize-url-4.5.0.tgz (Vulnerable Library)
normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/normalize-url

Dependency Hierarchy:

  • release-it-14.8.0.tgz (Root Library)
    • git-url-parse-11.4.4.tgz
      • git-up-4.0.2.tgz
        • parse-url-5.0.2.tgz
          • โŒ normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 700196faeae8f40b9f85070d2b24e16a5bc169bf

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Step up your Open Source Security Game with WhiteSource here

WS-2020-0068 (High) detected in yargs-parser-10.1.0.tgz

WS-2020-0068 - High Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • babel-minify-0.5.1.tgz (Root Library)
    • โŒ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: bbf742371ca48f55212a5f6af9a3592898bc4375

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1

Step up your Open Source Security Game with WhiteSource here

WS-2016-0090 (Medium) detected in jquery-1.11.1.min.js, jquery-1.12.4.min.js

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.11.1.min.js, jquery-1.12.4.min.js

jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/compiler-skeleton.html

Path to vulnerable library: /AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/compiler-skeleton.html

Dependency Hierarchy:

  • โŒ jquery-1.11.1.min.js (Vulnerable Library)
jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/index.html

Path to vulnerable library: /AnimateMe/node_modules/@babel/compat-data/build/compat-table/es2016plus/index.html,/AnimateMe/node_modules/@babel/compat-data/build/compat-table/es5/skeleton.html

Dependency Hierarchy:

  • โŒ jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: 8195843b5d64a21b9a0c00753c65dc738dd7e968

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-20149 (Medium) detected in multiple libraries

CVE-2019-20149 - Medium Severity Vulnerability

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

kind-of-3.2.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/is-number/node_modules/kind-of/package.json

Dependency Hierarchy:

  • @babel/cli-7.8.0.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • fill-range-4.0.0.tgz
          • is-number-3.0.0.tgz
            • โŒ kind-of-3.2.2.tgz (Vulnerable Library)
kind-of-4.0.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/has-values/node_modules/kind-of/package.json

Dependency Hierarchy:

  • @babel/cli-7.8.0.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • has-value-1.0.0.tgz
                • has-values-1.0.0.tgz
                  • โŒ kind-of-4.0.0.tgz (Vulnerable Library)
kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/kind-of/package.json

Dependency Hierarchy:

  • @babel/cli-7.8.0.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • anymatch-2.0.0.tgz
        • micromatch-3.1.10.tgz
          • โŒ kind-of-6.0.2.tgz (Vulnerable Library)
kind-of-5.1.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz

Path to dependency file: /tmp/ws-scm/AnimateMe/package.json

Path to vulnerable library: /tmp/ws-scm/AnimateMe/node_modules/is-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

  • @babel/cli-7.8.0.tgz (Root Library)
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • define-property-0.2.5.tgz
            • is-descriptor-0.1.6.tgz
              • โŒ kind-of-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: ffacec9e8ee470e4f624d1ac78f7e8d623140a4f

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Dependency Dashboard

This issue provides visibility into Renovate updates and their statuses. Learn more

This repository currently has no open or pending branches.

  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2021-3807 (Medium) detected in ansi-regex-4.1.0.tgz

CVE-2021-3807 - Medium Severity Vulnerability

Vulnerable Library - ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • release-it-14.11.6.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • boxen-5.0.1.tgz
        • ansi-align-3.0.0.tgz
          • string-width-3.1.0.tgz
            • strip-ansi-5.2.0.tgz
              • โŒ ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: c9fcf85bc0d8e840d2148b9495752ac32b7f2209

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28469 (Medium) detected in glob-parent-5.1.1.tgz

CVE-2020-28469 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: AnimateMe/package.json

Path to vulnerable library: AnimateMe/node_modules/glob-parent

Dependency Hierarchy:

  • release-it-14.8.0.tgz (Root Library)
    • globby-11.0.3.tgz
      • fast-glob-3.2.4.tgz
        • โŒ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 700196faeae8f40b9f85070d2b24e16a5bc169bf

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.