GithubHelp home page GithubHelp logo

scriptex / async-array-prototype Goto Github PK

View Code? Open in Web Editor NEW
2.0 3.0 0.0 1.8 MB

Async array methods in JavaScript

Home Page: https://atanas.info/portfolio/open-source/async-array-prototype

License: MIT License

JavaScript 100.00%
async-await async-programming array-methods

async-array-prototype's Introduction

Travis CI Github Build Codacy Badge Codebeat Badge CodeFactor Badge DeepScan grade Analytics

Async Array Methods

This repository contains the asynchronous version of most array methods in JavaScript.

Visitor stats

GitHub stars GitHub forks GitHub watchers GitHub followers

Code stats

GitHub code size in bytes GitHub repo size GitHub language count GitHub top language GitHub last commit

Usage

First install or download this repository.

npm i async-array-prototype

# or

yarn add async-array-prototype

Then either import the whole package or include a new script tag with src pointing to your downloaded and extracted repository.

You can also include the whole package from unpkg.com

<script src="https://unpkg.com/async-array-prototype"></script>

Then

import 'async-array';

Once imported, the asyncronous methods are available on the Array.prototype and you can use them with any array.

Methods:

  1. Async every
  2. Async filter
  3. Async find
  4. Async findIndex
  5. Async forEach
  6. Async map
  7. Async some
  8. Async reduce

ES Next

Of course you can live on the edge and use the raw ES7 version of the methods by importing them from the lib folder. This way you will not extend the array prototype and the actual usage is left to you.

LICENSE

MIT

Connect with me:

                     
Support and sponsor my work:

async-array-prototype's People

Contributors

dependabot[bot] avatar greenkeeper[bot] avatar renovate-bot avatar renovate[bot] avatar scriptex avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

async-array-prototype's Issues

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • @babel/cli-7.16.8.tgz (Root Library)
    • chokidar-3.5.1.tgz
      • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: cc75a6f9f7db4875f544d34034a2e2e6eb5f70b7

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: gulpjs/glob-parent#49

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: async-array-prototype/package.json

Path to vulnerable library: async-array-prototype/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.12.16.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 4503b04c1c39e4c3c63aa70af445fbf083f38dfd

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

WS-2019-0424 (Medium) detected in elliptic-6.5.2.tgz

WS-2019-0424 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/elliptic/package.json

Dependency Hierarchy:

  • webpack-4.43.0.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 79f9639dc62d0329155df9056413203931f3e969

Vulnerability Details

all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /async-array-prototype/package.json

Path to vulnerable library: /tmp/git/async-array-prototype/node_modules/lodash/package.json

Dependency Hierarchy:

  • @babel/cli-7.5.0.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 67d8eebe083a86ef3d7333d9e7f42748a09afe80

Vulnerability Details

A Prototype Pollution vulnerability was found in lodash through version 4.17.11.

Publish Date: 2019-07-08

URL: CVE-2019-10744

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Step up your Open Source Security Game with WhiteSource here

Action required: Greenkeeper could not be activated 🚨

🚨 You need to enable Continuous Integration on all branches of this repository. 🚨

To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.

Since we didn’t receive a CI status on the greenkeeper/initial branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/.

Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please delete the greenkeeper/initial branch in this repository, and then remove and re-add this repository to the Greenkeeper App’s white list on Github. You'll find this list on your repo or organization’s settings page, under Installed GitHub Apps.

CVE-2019-20149 (Medium) detected in multiple libraries

CVE-2019-20149 - Medium Severity Vulnerability

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

kind-of-3.2.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/object-copy/node_modules/kind-of/package.json

Dependency Hierarchy:

  • webpack-4.41.5.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • class-utils-0.3.6.tgz
            • static-extend-0.1.2.tgz
              • object-copy-0.1.0.tgz
                • kind-of-3.2.2.tgz (Vulnerable Library)
kind-of-4.0.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/has-values/node_modules/kind-of/package.json

Dependency Hierarchy:

  • webpack-4.41.5.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • has-value-1.0.0.tgz
              • has-values-1.0.0.tgz
                • kind-of-4.0.0.tgz (Vulnerable Library)
kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/kind-of/package.json

Dependency Hierarchy:

  • webpack-4.41.5.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • kind-of-6.0.2.tgz (Vulnerable Library)
kind-of-5.1.0.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/is-descriptor/node_modules/kind-of/package.json

Dependency Hierarchy:

  • webpack-4.41.5.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • define-property-0.2.5.tgz
          • is-descriptor-0.1.6.tgz
            • kind-of-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 21977aec0822888ae31446fc422554c7dde3ac11

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2019-11358 (Medium) detected in jquery-1.11.1.min.js, jquery-1.12.4.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-1.11.1.min.js, jquery-1.12.4.min.js

jquery-1.11.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/async-array-prototype/node_modules/@babel/compat-data/build/compat-table/es5/compiler-skeleton.html

Path to vulnerable library: /async-array-prototype/node_modules/@babel/compat-data/build/compat-table/es5/compiler-skeleton.html

Dependency Hierarchy:

  • jquery-1.11.1.min.js (Vulnerable Library)
jquery-1.12.4.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js

Path to dependency file: /tmp/ws-scm/async-array-prototype/node_modules/@babel/compat-data/build/compat-table/es5/index.html

Path to vulnerable library: /async-array-prototype/node_modules/@babel/compat-data/build/compat-table/es5/index.html,/async-array-prototype/node_modules/@babel/compat-data/build/compat-table/non-standard/skeleton.html

Dependency Hierarchy:

  • jquery-1.12.4.min.js (Vulnerable Library)

Found in HEAD commit: b4a8208771047486eba9569227d2e9ba080b7d69

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23343 (Medium) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - Medium Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: async-array-prototype/package.json

Path to vulnerable library: async-array-prototype/node_modules/path-parse/package.json

Dependency Hierarchy:

  • webpack-cli-4.7.0.tgz (Root Library)
    • rechoir-0.7.0.tgz
      • resolve-1.20.0.tgz
        • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: c005f5a7f466a1090b01c6f5c38e6f87cee5afc5

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: async-array-prototype/package.json

Path to vulnerable library: async-array-prototype/node_modules/lodash/package.json

Dependency Hierarchy:

  • cli-7.12.16.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 4503b04c1c39e4c3c63aa70af445fbf083f38dfd

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-13822 (High) detected in elliptic-6.5.2.tgz

CVE-2020-13822 - High Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/elliptic/package.json

Dependency Hierarchy:

  • webpack-4.43.0.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: c9723e47116e044b3a7dd3cdeea48a0b99c57690

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Async reduce

Here is an example implementation:

import { throws } from '../utils';

export const reduceAsync = async function(fn, accumulator, thisArg) {
    throws(this, fn);

    let result = accumulator;

    for (value of this) {
        result = await fn.call(thisArg, accumulator, value);
    }

    return result;
}

Dependency Dashboard

This issue provides visibility into Renovate updates and their statuses. Learn more

This repository currently has no open or pending branches.

  • Check this box to trigger a request for Renovate to run again on this repository

WS-2016-0090 (Medium) detected in jquery-1.7.1.min.js

WS-2016-0090 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/async-array-prototype/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /async-array-prototype/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 9277a3e551bc96c284e821697393f43d2cf7eed9

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.7.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/async-array-prototype/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /async-array-prototype/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 9277a3e551bc96c284e821697393f43d2cf7eed9

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz

CVE-2020-28275 - High Severity Vulnerability

Vulnerable Library - cache-base-1.0.1.tgz

Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.

Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz

Path to dependency file: async-array-prototype/package.json

Path to vulnerable library: async-array-prototype/node_modules/cache-base/package.json

Dependency Hierarchy:

  • cli-7.12.10.tgz (Root Library)
    • chokidar-2-2.1.8-no-fsevents.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 01b77c27dd9b0e18c25305dcef639da5c8a94ae5

Vulnerability Details

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-11-07

URL: CVE-2020-28275

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/async-array-prototype/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /async-array-prototype/node_modules/vm-browserify/example/run/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 9277a3e551bc96c284e821697393f43d2cf7eed9

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28469 (Medium) detected in glob-parent-3.1.0.tgz

CVE-2020-28469 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: async-array-prototype/package.json

Path to vulnerable library: async-array-prototype/node_modules/glob-parent

Dependency Hierarchy:

  • cli-7.14.3.tgz (Root Library)
    • chokidar-2-2.1.8-no-fsevents.tgz
      • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 390092d4541e89ccfdc6da0853c2aa2af35ccb7b

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

WS-2020-0070 (High) detected in lodash-4.17.15.tgz

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/async-array-prototype/package.json

Path to vulnerable library: /tmp/ws-scm/async-array-prototype/node_modules/lodash/package.json

Dependency Hierarchy:

  • @babel/cli-7.10.0.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 79f9639dc62d0329155df9056413203931f3e969

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364 (Medium) detected in browserslist-4.16.3.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: async-array-prototype/package.json

Path to vulnerable library: async-array-prototype/node_modules/browserslist/package.json

Dependency Hierarchy:

  • webpack-5.31.2.tgz (Root Library)
    • browserslist-4.16.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.