This project forked from github/choosealicense.com
A site to provide non-judgmental guidance on choosing a license for your open source project
Home Page: https://choosealicense.com
License: MIT License
Vulnerable Library - moment-2.24.0.tgzParse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/moment/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution: moment - 2.29.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - parsejson-0.0.3.tgzMethod that parses a JSON string and returns a JSON object
Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/parsejson/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
Publish Date: 2018-06-07
URL: CVE-2017-16113
CVSS 3 Score Details (7.5)
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Vulnerable Library - karma-0.13.22.tgzSpectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-0.13.22.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
Publish Date: 2022-02-25
URL: CVE-2021-23495
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23495
Release Date: 2022-02-25
Fix Resolution: 6.3.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - socket.io-1.7.4.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-1.7.4.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-1.0.0.tgz, minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-1.0.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma-browserify/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma-browserify/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-04-26
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (mocha): 3.0.0-0
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (karma-browserify): 5.0.0
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (babelify): 7.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io-parser/node_modules/ms/package.json
Dependency Hierarchy:
Tiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io-adapter/node_modules/ms/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
Publish Date: 2023-01-05
URL: CVE-2017-20162
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-05
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (karma): 2.0.0
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (karma): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: choosealicense.com/assets/vendor/clipboard/node_modules/socket.io-parser/node_modules/ms/package.json
Dependency Hierarchy:
Tiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: choosealicense.com/assets/vendor/clipboard/node_modules/socket.io-adapter/node_modules/ms/package.json
Dependency Hierarchy:
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - moment-2.24.0.tgzParse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/moment/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution: moment - 2.29.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - shell-quote-0.0.1.tgzquote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: choosealicense.com/assets/vendor/clipboard/node_modules/shell-quote/package.json
Dependency Hierarchy:
Vulnerability Details
The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.
Publish Date: 2016-05-20
URL: WS-2016-0039
CVSS 2 Score Details (8.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/117
Release Date: 2016-05-20
Fix Resolution: 1.6.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - useragent-2.3.0.tgzFastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing
Library home page: https://registry.npmjs.org/useragent/-/useragent-2.3.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/useragent/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in useragent through 2.3.0.
Publish Date: 2018-02-27
URL: WS-2018-0650
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0650
Release Date: 2018-02-27
Fix Resolution: NorDroN.AngularTemplate - 0.1.6;dotnetng.template - 1.0.0.4;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;MIDIator.WebClient - 1.0.105
Step up your Open Source Security Game with Mend here
Vulnerable Library - mocha-2.5.3.tgzsimple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: 2021-09-18
URL: WS-2021-0638
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-18
Fix Resolution: 3.0.0-0
Step up your Open Source Security Game with Mend here
Vulnerable Library - diff-1.4.0.tgzA javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/diff/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (mocha): 5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - cached-path-relative-1.0.2.tgzMemoize the results of the path.relative function
Library home page: https://registry.npmjs.org/cached-path-relative/-/cached-path-relative-1.0.2.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/cached-path-relative/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
Publish Date: 2022-01-21
URL: CVE-2021-23518
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23518
Release Date: 2022-01-21
Fix Resolution (cached-path-relative): 1.1.0
Direct dependency fix Resolution (watchify): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/watchify/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/glob-parent/package.json
Dependency Hierarchy:
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution: lodash - 4.17.19
Step up your Open Source Security Game with Mend here
Vulnerable Library - engine.io-1.8.5.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-1.8.5.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/engine.io/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - ws-1.1.5.tgzSimple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: choosealicense.com/assets/vendor/clipboard/node_modules/ws/package.json
Dependency Hierarchy:
Vulnerability Details
Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: websockets/ws@c4fe466
Release Date: 2017-11-08
Fix Resolution: ws - 3.3.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - mocha-2.5.3.tgzsimple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-24
Fix Resolution: 6.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - growl-1.9.2.tgzGrowl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/growl/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Mend Note: Converted from WS-2017-0236, on 2022-11-08.
Publish Date: 2018-06-04
URL: CVE-2017-16042
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042
Release Date: 2018-04-26
Fix Resolution (growl): 1.10.2
Direct dependency fix Resolution (mocha): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - mixin-deep-1.3.1.tgzDeeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (watchify): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - karma-0.13.22.tgzSpectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-0.13.22.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Publish Date: 2022-02-05
URL: CVE-2022-0437
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437
Release Date: 2022-02-05
Fix Resolution: 6.3.14
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (karma): 5.0.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (karma): 5.0.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (karma): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - xmlhttprequest-ssl-1.5.3.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-17
Fix Resolution: lodash-4.17.11
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - shell-quote-1.6.1.tgz, shell-quote-0.0.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/watchify/node_modules/shell-quote/package.json
Dependency Hierarchy:
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (watchify): 4.0.0
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (browserify): 12.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - json5-0.4.0.tgzJSON for the ES5 era.
Library home page: https://registry.npmjs.org/json5/-/json5-0.4.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (babelify): 8.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - debug-2.3.3.tgz, debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.3.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/engine.io/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-04-26
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (karma): 2.0.0
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (karma): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - follow-redirects-1.7.0.tgzHTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.7.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (karma): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - xmlhttprequest-ssl-1.5.3.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - acorn-5.7.3.tgzECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/acorn/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (browserify): 12.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - decode-uri-component-0.2.0.tgzA better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/decode-uri-component/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (watchify): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - log4js-0.6.38.tgzPort of Log4js to work with node.
Library home page: https://registry.npmjs.org/log4js/-/log4js-0.6.38.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/log4js/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Publish Date: 2022-01-19
URL: CVE-2022-21704
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-82v2-mx6x-wq7q
Release Date: 2022-01-19
Fix Resolution (log4js): 6.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - concat-stream-1.4.11.tgzwritable stream that concatenates strings or binary data and calls a callback with the result
Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.4.11.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/concat-stream/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Publish Date: 2018-04-25
URL: WS-2018-0075
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/597
Release Date: 2018-01-27
Fix Resolution (concat-stream): 1.5.2
Direct dependency fix Resolution (browserify): 12.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - engine.io-1.8.5.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-1.8.5.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/engine.io/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.
Publish Date: 2022-11-22
URL: CVE-2022-41940
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r7qp-cfhv-p84w
Release Date: 2022-11-22
Fix Resolution (engine.io): 3.6.1
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mkdirp/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/optimist/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (karma): 5.0.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (karma): 5.0.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (karma): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - kind-of-6.0.2.tgzGet the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/snapdragon-node/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (karma): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - socket.io-parser-2.3.1.tgzsocket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-2.3.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xfhh-g9f5-x4m4
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/380873
Release Date: 2019-02-01
Fix Resolution: lodash 4.17.11
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimatch-3.0.4.tgz, minimatch-0.3.0.tgz, minimatch-1.0.0.tgz, minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/rimraf/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-1.0.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma-browserify/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/karma-browserify/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (watchify): 4.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (watchify): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - http-proxy-1.17.0.tgzHTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.17.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/http-proxy/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution (http-proxy): 1.18.1
Direct dependency fix Resolution (karma): 1.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (watchify): 4.0.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (watchify): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/watchify/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (watchify): 4.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (karma): 4.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - socket.io-1.7.4.tgznode.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-1.7.4.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/socket.io/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
In socket.io in versions 1.0.0 to 2.3.0 is vulnerable to Cross-Site Websocket Hijacking, it allows an attacker to bypass origin protection using special symbols include "`" and "$".
Publish Date: 2020-02-20
URL: WS-2020-0443
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/931197
Release Date: 2020-02-20
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-3.10.1.tgzThe modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-04-26
Fix Resolution: lodash 4.17.5
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - debug-2.3.3.tgz, debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.3.3.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/engine.io/node_modules/debug/package.json
Dependency Hierarchy:
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/mocha/node_modules/debug/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
Publish Date: 2023-01-09
URL: CVE-2017-20165
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9vvw-cc9w-f27h
Release Date: 2023-01-09
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (karma): 2.0.0
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (karma): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - shell-quote-0.0.1.tgzquote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz
Path to dependency file: /choosealicense.com/assets/vendor/clipboard/package.json
Path to vulnerable library: /assets/vendor/clipboard/node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in base branch: gh-pages
Vulnerability Details
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.
Publish Date: 2018-05-31
URL: CVE-2016-10541
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10541
Release Date: 2018-04-26
Fix Resolution (shell-quote): 1.6.1
Direct dependency fix Resolution (browserify): 12.0.0
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
