GithubHelp home page GithubHelp logo

scriptex / github-insights Goto Github PK

View Code? Open in Web Editor NEW
3.0 3.0 0.0 5.37 MB

Get insights for your Github repositories

Home Page: https://github-insights.atanas.info/

License: MIT License

JavaScript 97.77% HTML 2.23%
github-insights github-api github-rest-v3

github-insights's Introduction

Github Build Codacy Badge Codebeat Badge CodeFactor Badge DeepScan grade Analytics

Github Insights

Get insights for your Github repositories

Start using the live application now

Visitor stats

GitHub stars GitHub forks GitHub watchers GitHub followers

Code stats

GitHub code size in bytes GitHub repo size GitHub language count GitHub top language GitHub last commit

Local usage

  1. Clone this repository
  2. Run npm install or yarn
  3. Copy .env.example to .env and add your Github Auth Token in the new .env file: 
    TOKEN=your_github_token
  4. Run npm fetch or yarn fetch by provding at least one of the required arguments:
    • --org: a Github organisation name
    • --user: a Github user name
    • --repository: a Github repository in the following format :owner/:repository (scriptex/github-insights)
  5. Wait for the script to fetch and transform the data from Github.
  6. Check the insights.json file in the root of the project.

Frontend

There is a frontend application included built with Parcel and React using Recharts.

The application is still a work in progress.

The deployment is taken care of by Vercel.

If you want to experience the full capabilities of this package locally then you need to create your own Vercel account, install the now cli and run now dev after you linked your clone/fork with Vercel.

More on this later.

About

This tool uses the 3rd version of the Github REST API.

github-insights collects the following data for your user's or organisation's repositories:

  • paths
  • views
  • forks
  • clones
  • commits
  • referrers
  • contributors

LICENSE

MIT

Connect with me:

                     
Support and sponsor my work:

github-insights's People

Contributors

dependabot[bot] avatar renovate-bot avatar renovate[bot] avatar scriptex avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar

github-insights's Issues

CVE-2020-7720 (High) detected in node-forge-0.7.6.tgz

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Library - node-forge-0.7.6.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.6.tgz

Path to dependency file: /tmp/ws-scm/github-insights/package.json

Path to vulnerable library: /tmp/ws-scm/github-insights/node_modules/node-forge/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.4.tgz (Root Library)
    • node-forge-0.7.6.tgz (Vulnerable Library)

Found in HEAD commit: 67daaf733a25cbe585ed76afd5341f03f1dfedb1

Vulnerability Details

All versions of package node-forge are vulnerable to Prototype Pollution via the util.setPath function.

Publish Date: 2020-07-21

URL: CVE-2020-7720

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-25883 (Medium) detected in semver-5.7.1.tgz, semver-7.0.0.tgz

CVE-2022-25883 - Medium Severity Vulnerability

Vulnerable Libraries - semver-5.7.1.tgz, semver-7.0.0.tgz

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

  • nodemon-2.0.22.tgz (Root Library)
    • semver-5.7.1.tgz (Vulnerable Library)
semver-7.0.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-update-notifier/node_modules/semver/package.json

Dependency Hierarchy:

  • nodemon-2.0.22.tgz (Root Library)
    • simple-update-notifier-1.0.7.tgz
      • semver-7.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 47d93ce4d9d874f1f7974332681c1a2148255964

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-06-21

Fix Resolution: semver - 7.5.2

Step up your Open Source Security Game with Mend here

CVE-2021-23334 (High) detected in static-eval-2.1.0.tgz

CVE-2021-23334 - High Severity Vulnerability

Vulnerable Library - static-eval-2.1.0.tgz

evaluate statically-analyzable expressions

Library home page: https://registry.npmjs.org/static-eval/-/static-eval-2.1.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/static-eval/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.4.tgz (Root Library)
    • logger-1.11.1.tgz
      • grapheme-breaker-0.3.2.tgz
        • brfs-1.6.1.tgz
          • static-module-2.2.5.tgz
            • static-eval-2.1.0.tgz (Vulnerable Library)

Found in HEAD commit: dc74578c330ceabceba103132b939e6536d4f9e6

Vulnerability Details

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require('static-eval'); var parse = require('esprima').parse; var src="(function (x) { return ${eval("console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())")} })()" var ast = parse(src).body[0].expression; evaluate(ast)

Publish Date: 2021-02-11

URL: CVE-2021-23334

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23337 (High) detected in lodash-4.17.20.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/lodash/package.json

Dependency Hierarchy:

  • core-7.12.16.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: dc74578c330ceabceba103132b939e6536d4f9e6

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-33587 (High) detected in css-what-3.4.2.tgz

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/css-what

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • htmlnano-0.2.9.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: b30e573613b031cc4035ecb29aef467eca6c7334

Found in base branch: master

Vulnerability Details

The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3807 (Medium) detected in multiple libraries

CVE-2021-3807 - Medium Severity Vulnerability

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-2.1.1.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • nodemon-2.0.12.tgz (Root Library)
    • update-notifier-4.1.3.tgz
      • boxen-4.2.0.tgz
        • ansi-align-3.0.0.tgz
          • string-width-3.1.0.tgz
            • strip-ansi-5.2.0.tgz
              • ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-2.1.1.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • css-modules-loader-core-1.1.0.tgz
      • postcss-6.0.1.tgz
        • chalk-1.1.3.tgz
          • strip-ansi-3.0.1.tgz
            • ansi-regex-2.1.1.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • logger-1.11.1.tgz
      • strip-ansi-4.0.0.tgz
        • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • yargs-17.1.1.tgz (Root Library)
    • cliui-7.0.4.tgz
      • strip-ansi-6.0.0.tgz
        • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7bf357801ff9bf0e669e0fe3555af49e0827c4b0

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44906 (Medium) detected in minimist-1.2.5.tgz

CVE-2021-44906 - Medium Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • core-7.17.8.tgz (Root Library)
    • json5-2.2.0.tgz
      • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: ce5b6d4af26036d7ba339e837d88849a1157c493

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44906

Release Date: 2022-03-17

Fix Resolution: BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;cloudscribe.templates - 5.2.0;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Envisia.DotNet.Templates - 3.0.1;Yarnpkg.Yarn - 0.26.1;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;VueJS.NetCore - 1.1.1;Dianoga - 4.0.0,3.0.0-RC02;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 1.0.7;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;Fable.Template.Elmish.React - 0.1.6;BlazorPolyfill.Build - 6.0.100.2;Fable.Snowpack.Template - 2.1.0;BumperLane.Public.Api.Client - 0.23.35.214-prerelease;Yarn.MSBuild - 0.22.0,0.24.6;Blazor.TailwindCSS.BUnit - 1.0.2;Bridge.AWS - 0.3.30.36;tslint - 5.6.0;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23343 (Medium) detected in path-parse-1.0.6.tgz

CVE-2021-23343 - Medium Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/path-parse/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • resolve-1.20.0.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 106268a6f722c13dd9478e333d3722fd2d06972c

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23382 (Medium) detected in multiple libraries

CVE-2021-23382 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-6.0.23.tgz, postcss-7.0.32.tgz, postcss-7.0.35.tgz, postcss-6.0.1.tgz

postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/postcss-modules-local-by-default/node_modules/postcss/package.json,github-insights/node_modules/postcss-modules-scope/node_modules/postcss/package.json,github-insights/node_modules/postcss-modules-values/node_modules/postcss/package.json,github-insights/node_modules/postcss-modules-extract-imports/node_modules/postcss/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • css-modules-loader-core-1.1.0.tgz
      • postcss-modules-extract-imports-1.1.0.tgz
        • postcss-6.0.23.tgz (Vulnerable Library)
postcss-7.0.32.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/purgecss/node_modules/postcss/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • htmlnano-0.2.9.tgz
      • purgecss-2.3.0.tgz
        • postcss-7.0.32.tgz (Vulnerable Library)
postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/postcss/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • postcss-7.0.35.tgz (Vulnerable Library)
postcss-6.0.1.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.1.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/css-modules-loader-core/node_modules/postcss/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • css-modules-loader-core-1.1.0.tgz
      • postcss-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 2c4708fc8b8b0d9e987628d301453c0c3e4ce9ac

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Step up your Open Source Security Game with WhiteSource here

WS-2022-0007 (Medium) detected in node-forge-0.10.0.tgz

WS-2022-0007 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • parcel-2.1.1.tgz (Root Library)
    • @parcel/utils-2.1.1.tgz
      • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In node-forge before 1.0.0 he regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.

Publish Date: 2022-01-08

URL: WS-2022-0007

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • parcel-2.1.1.tgz (Root Library)
    • @parcel/utils-2.1.1.tgz
      • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 29f79be7c51873cf5c0f2e7e2334bdcb26a45e67

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/

Release Date: 2022-01-06

Fix Resolution: forge - v1.0.0

Step up your Open Source Security Game with WhiteSource here

WS-2021-0154 (Medium) detected in glob-parent-3.1.0.tgz

WS-2021-0154 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/glob-parent

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • watcher-1.12.1.tgz
      • chokidar-2.1.8.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 79b16cddb07790cdef3fd8f62dd1b829dd0669a9

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44907 (Medium) detected in qs-6.9.7.tgz

CVE-2021-44907 - Medium Severity Vulnerability

Vulnerable Library - qs-6.9.7.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.9.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

  • express-4.17.3.tgz (Root Library)
    • qs-6.9.7.tgz (Vulnerable Library)

Found in HEAD commit: ce5b6d4af26036d7ba339e837d88849a1157c493

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;cloudscribe.templates - 5.2.0;KnstAsyncApiUI - 1.0.2-pre;Romano.Vue - 1.0.1;Yarnpkg.Yarn - 0.26.1;VueJS.NetCore - 1.1.1;NativeScript.Sidekick.Standalone.Shell - 1.9.1-v2018050205;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.2;Fable.Template.Elmish.React - 0.1.6;Fable.Snowpack.Template - 2.1.0;Yarn.MSBuild - 0.22.0,0.24.6

Step up your Open Source Security Game with WhiteSource here

CVE-2021-28092 (Medium) detected in is-svg-3.0.0.tgz

CVE-2021-28092 - Medium Severity Vulnerability

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/is-svg/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • cssnano-4.1.10.tgz
      • cssnano-preset-default-4.0.7.tgz
        • postcss-svgo-4.0.2.tgz
          • is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 30361a4f594c9d69c7878202095bc5cb5e2c9cd5

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364 (Medium) detected in browserslist-4.16.3.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/browserslist/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • browserslist-4.16.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

CVE-2021-33502 (High) detected in normalize-url-4.5.0.tgz, normalize-url-3.3.0.tgz

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-4.5.0.tgz, normalize-url-3.3.0.tgz

normalize-url-4.5.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/normalize-url

Dependency Hierarchy:

  • nodemon-2.0.7.tgz (Root Library)
    • update-notifier-4.1.3.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • got-9.6.0.tgz
            • cacheable-request-6.1.0.tgz
              • normalize-url-4.5.0.tgz (Vulnerable Library)
normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/normalize-url

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-normalize-url-4.0.1.tgz
          • normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: b30e573613b031cc4035ecb29aef467eca6c7334

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23368 (Medium) detected in postcss-7.0.32.tgz, postcss-7.0.35.tgz

CVE-2021-23368 - Medium Severity Vulnerability

Vulnerable Libraries - postcss-7.0.32.tgz, postcss-7.0.35.tgz

postcss-7.0.32.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/purgecss/node_modules/postcss/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • htmlnano-0.2.9.tgz
      • purgecss-2.3.0.tgz
        • postcss-7.0.32.tgz (Vulnerable Library)
postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/postcss/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • postcss-7.0.35.tgz (Vulnerable Library)

Found in HEAD commit: 2c4708fc8b8b0d9e987628d301453c0c3e4ce9ac

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution: postcss -8.2.10

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

WS-2022-0322 (High) detected in d3-color-2.0.0.tgz

WS-2022-0322 - High Severity Vulnerability

Vulnerable Library - d3-color-2.0.0.tgz

Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).

Library home page: https://registry.npmjs.org/d3-color/-/d3-color-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/d3-color/package.json

Dependency Hierarchy:

  • recharts-2.1.15.tgz (Root Library)
    • d3-interpolate-2.0.1.tgz
      • d3-color-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: c2e5f7fcd4aa4783cb5871ada33bbe47d97f0c03

Found in base branch: master

Vulnerability Details

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.

Publish Date: 2022-09-29

URL: WS-2022-0322

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-36jr-mh4h-2g58

Release Date: 2022-09-29

Fix Resolution: d3-color - 3.1.0

Step up your Open Source Security Game with Mend here

CVE-2021-3803 (Medium) detected in nth-check-1.0.2.tgz

CVE-2021-3803 - Medium Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/nth-check/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • htmlnano-0.2.9.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7bf357801ff9bf0e669e0fe3555af49e0827c4b0

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.20.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/lodash/package.json

Dependency Hierarchy:

  • core-7.12.16.tgz (Root Library)
    • lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: dc74578c330ceabceba103132b939e6536d4f9e6

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0155 (High) detected in follow-redirects-1.14.5.tgz

CVE-2022-0155 - High Severity Vulnerability

Vulnerable Library - follow-redirects-1.14.5.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • parcel-2.2.0.tgz (Root Library)
    • @parcel/reporter-dev-server-2.2.0.tgz
      • http-proxy-middleware-1.3.1.tgz
        • http-proxy-1.18.1.tgz
          • follow-redirects-1.14.5.tgz (Vulnerable Library)

Found in HEAD commit: cea197dd160c4f1a995c9b303b9433f7f911516a

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (8.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution: follow-redirects - v1.14.7

Step up your Open Source Security Game with WhiteSource here

WS-2020-0070 (High) detected in lodash-4.17.15.tgz

WS-2020-0070 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/github-insights/package.json

Path to vulnerable library: /tmp/ws-scm/github-insights/node_modules/lodash/package.json

Dependency Hierarchy:

  • core-7.10.2.tgz (Root Library)
    • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 21f8899689af664055154e91dec84df977548719

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/json-schema/package.json

Dependency Hierarchy:

  • parcel-2.0.1.tgz (Root Library)
    • config-default-2.0.1.tgz
      • optimizer-htmlnano-2.0.1.tgz
        • htmlnano-1.1.1.tgz
          • uncss-0.17.3.tgz
            • request-2.88.2.tgz
              • http-signature-1.2.0.tgz
                • jsprim-1.4.1.tgz
                  • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7317f0bb7b1ad5a68e841f635f58c9370098ae7f

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28469 (Medium) detected in glob-parent-3.1.0.tgz

CVE-2020-28469 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/glob-parent

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • watcher-1.12.1.tgz
      • chokidar-2.1.8.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: b30e573613b031cc4035ecb29aef467eca6c7334

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

WS-2019-0424 (Medium) detected in elliptic-6.5.2.tgz

WS-2019-0424 - Medium Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/github-insights/package.json

Path to vulnerable library: /tmp/ws-scm/github-insights/node_modules/elliptic/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.4.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 21f8899689af664055154e91dec84df977548719

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2020-13822 (High) detected in elliptic-6.5.2.tgz

CVE-2020-13822 - High Severity Vulnerability

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/github-insights/package.json

Path to vulnerable library: /tmp/ws-scm/github-insights/node_modules/elliptic/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.4.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 21f8899689af664055154e91dec84df977548719

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-2596 (Medium) detected in node-fetch-2.6.7.tgz

CVE-2022-2596 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.7.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • node-fetch-2.6.7.tgz (Vulnerable Library)

Found in HEAD commit: 41279fd9a37d9dcfbd296dbeb9c3a39ad4e0a66f

Found in base branch: master

Vulnerability Details

Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.

Publish Date: 2022-08-01

URL: CVE-2022-2596

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2596

Release Date: 2022-08-01

Fix Resolution: 4.0.0-beta.1

Step up your Open Source Security Game with Mend here

CVE-2022-33987 (Medium) detected in got-9.6.0.tgz

CVE-2022-33987 - Medium Severity Vulnerability

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

  • nodemon-2.0.16.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • got-9.6.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-28275 (High) detected in cache-base-1.0.1.tgz

CVE-2020-28275 - High Severity Vulnerability

Vulnerable Library - cache-base-1.0.1.tgz

Basic object cache with `get`, `set`, `del`, and `has` methods for node.js/javascript projects.

Library home page: https://registry.npmjs.org/cache-base/-/cache-base-1.0.1.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/cache-base/package.json

Dependency Hierarchy:

  • parcel-bundler-1.12.4.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 99310b3dec9476d194cc8245785c89bccad5c95d

Vulnerability Details

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-11-07

URL: CVE-2020-28275

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-35065 (Medium) detected in glob-parent-5.1.2.tgz

CVE-2021-35065 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • parcel-2.0.1.tgz (Root Library)
    • utils-2.0.1.tgz
      • fast-glob-3.1.1.tgz
        • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 9d6f95608a20d63d97dbc90fb5bdeef185365bc3

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: gulpjs/glob-parent#49

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-32640 (Medium) detected in ws-6.2.1.tgz, ws-5.2.2.tgz

CVE-2021-32640 - Medium Severity Vulnerability

Vulnerable Libraries - ws-6.2.1.tgz, ws-5.2.2.tgz

ws-6.2.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/ws

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • htmlnano-0.2.9.tgz
      • uncss-0.17.3.tgz
        • jsdom-14.1.0.tgz
          • ws-6.2.1.tgz (Vulnerable Library)
ws-5.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz

Path to dependency file: github-insights/package.json

Path to vulnerable library: github-insights/node_modules/ws

Dependency Hierarchy:

  • parcel-bundler-1.12.5.tgz (Root Library)
    • ws-5.2.2.tgz (Vulnerable Library)

Found in HEAD commit: f6e349a8b04cfd6e059f787a4d8364a82bbbd416

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.