fdm-monster / fdm-monster Goto Github PK

3D printer farm management platform for local or in-cloud usage using OctoPrint.

Home Page: https://docs.fdm-monster.net/

License: GNU Affero General Public License v3.0

JavaScript 0.35% Dockerfile 0.30% Shell 0.10% G-code 2.21% TypeScript 97.00% PowerShell 0.05%

3d-printing autodiscovery farmpi fluidd klipper klippy mainsail marlin mongodb monsterpi mqtt nestjs nodejs octopi octoprint prusa prusa-link socketio sqlite3 virtualklipper

fdm-monster's Introduction

FDM Monster

Support the project

Github

Ko-Fi

Documentation

What is FDM Monster?

FDM Monster is a server for managing your 3D printer farm through OctoPrint. Our efforts are focused on providing a professional print-farming workflow that is suitable for hobby and commercial farms alike.

This server has been battle-tested in the field for 100+ printers, so give it a star ⭐and enhance your 3D Printing Farm's workflow!

Features

Adding OctoPrint instances
Dragging printers on grid
Dropping GCode to print
Batch select and print GCode
Marking printers as maintenance mode
Import printers from OctoFarm
Raspberry Pi image MonsterPi

The FDM Monster grid after placing one OctoPrint instance.

Getting started

Check out the Documentation. Are you interested in running the Raspberry Pi image? Please jump ahead MonsterPi Section.

Reach out for questions

Please join the discord, but stay professional and proactive!

Discord server: https://discord.gg/mwA8uP8CMc
Website: https://fdm-monster.net
Mail: [email protected]

Contributors ✨

These are the people involved in the project. Find the meaning of the emoji keys here.

_{David Zwart} 🐛 💻 🚧 📓	_{Maurice Kevenaar} 🛡️ 🚧 🤔 🐛	_Tobias 🤔 🚧	_tideline3d 🐛 🤔	_WindArrow3d 🐛 💵 🤔 📓 📦	_{Lucian Chapar} 🐛	_Dumnersm580 📖 🤔
_{tophattwaffle} 🐛 🤔	_rmhenn 🤔 🐛	_cyrixdx4 🐛	_doucettom 🐛 🤔	_Callum 🤔	_bharvey88 🐛 🚇 📦	_Mikec78660 🤔
_{w. ian douglas} 🤔	_{InsanityAutomation} 🤔 🐛

Tier 4	Tier 3	Tier 2	Tier 1	One Time
	WindArrow3d		doucettom	th3dstudio

Contribute

Feel like joining in as a developer or do you have a quick fix? Great! Please read the CONTRIBUTING file.

Development Progress

License

FDM Monster is licensed with AGPL-3.0. For details, please consult the LICENSE file.

Historical Note

This project has been forked from OctoFarm at September 2021 when I ended as a contributor to this project.

fdm-monster's People

Contributors

Stargazers

Watchers

Forkers

aheadio tideline3d tempnamedevs houseofbugs doucettom simplemente3d relatable52

fdm-monster's Issues

CVE-2022-24785 (High) detected in moment-2.29.1.tgz - autoclosed

CVE-2022-24785 - High Severity Vulnerability

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /server-nest/package.json

Path to vulnerable library: /server-nest/node_modules/moment/package.json

Dependency Hierarchy:

schedule-1.1.0.tgz (Root Library)
- cron-1.8.2.tgz
  - moment-timezone-0.5.34.tgz
    - ❌ moment-2.29.1.tgz (Vulnerable Library)

Found in HEAD commit: c405fcb6e68dd3a88f087b45778b3b98c055e294

Found in base branch: develop

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution: moment - 2.29.2,Moment.js - 2.29.2

Step up your Open Source Security Game with WhiteSource here

WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz - autoclosed

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/node-forge/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- webpack-dev-server-3.11.2.tgz
  - selfsigned-1.10.11.tgz
    - ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

Step up your Open Source Security Game with WhiteSource here

Introduce server private API and cleanup the server commands service

The server private API meant for getting update info, performing Node/PM2/etc updating is not written in the reliable style which powers the rest of FDM. It certainly is not ready for a service CLI/deamon and docker overlay in future.

Clean the API up
Refactor the update service and server commands service to become REST style with exceptions bubbling up without covering them up in 'mock text'
Cover with tests

:bug: Version API returns with airGapped undefined error

API endpoint

{{env}}/api/version

{
"error": "Server experienced an internal error",
"type": "ReferenceError",
"stack": "ReferenceError: airGapped is not defined\n at ServerUpdateService.getUpdateNotificationIfAny (C:\Users\david\Projects\fdm-monster\server\services\server-update.service.js:102:45)\n at AppController.getVersion (C:\Users\david\Projects\fdm-monster\server\controllers\app.controller.js:36:64)\n at asyncWrappedMiddleware (C:\Users\david\Projects\fdm-monster\server\node_modules\awilix-express\lib\invokers.js:129:27)\n at memberInvoker (C:\Users\david\Projects\fdm-monster\server\node_modules\awilix-express\lib\invokers.js:87:79)\n at Layer.handle [as handle_request] (C:\Users\david\Projects\fdm-monster\server\node_modules\express\lib\router\layer.js:95:5)\n at next (C:\Users\david\Projects\fdm-monster\server\node_modules\express\lib\router\route.js:137:13)\n at C:\Users\david\Projects\fdm-monster\server\middleware\authenticate.js:25:16\n at asyncWrappedMiddleware (C:\Users\david\Projects\fdm-monster\server\node_modules\awilix-express\lib\invokers.js:129:27)\n at middlewareFactoryHandler (C:\Users\david\Projects\fdm-monster\server\node_modules\awilix-express\lib\invokers.js:109:44)\n at Layer.handle [as handle_request] (C:\Users\david\Projects\fdm-monster\server\node_modules\express\lib\router\layer.js:95:5)"
}

Consider converting node backend to ESM

https://github.com/getify/moduloze

Test Printer DELETE does not always succeed - CI/GHA issue now with response log

I confirm that I'm a developer of FDM Monster and allowed to use this template.
Description

statusCode: 404,
status: 404,
statusType: 4,
info: false,
ok: false,
redirect: false,
clientError: true,
serverError: false,
error: Error: cannot DELETE /api/printer/621b9f30dd5afcc05ac3ef5c (404)
at Response.toError (/home/runner/work/fdm-monster/fdm-monster/server/node_modules/superagent/src/node/response.js:110:17)
at Response._setStatusProperties (/home/runner/work/fdm-monster/fdm-monster/server/node_modules/superagent/src/response-base.js:107:48)
at new Response (/home/runner/work/fdm-monster/fdm-monster/server/node_modules/superagent/src/node/response.js:41:8)
at Test._emitResponse (/home/runner/work/fdm-monster/fdm-monster/server/node_modules/superagent/src/node/index.js:935:20)
at fn (/home/runner/work/fdm-monster/fdm-monster/server/node_modules/superagent/src/node/index.js:1137:38)
at IncomingMessage. (/home/runner/work/fdm-monster/fdm-monster/server/node_modules/superagent/src/node/parsers/json.js:19:7)
at IncomingMessage.emit (node:events:532:35)
at endReadableNT (node:internal/streams/readable:1346:12)
at processTicksAndRejections (node:internal/process/task_queues:83:21) {
status: 404,
text: {"error":"The printer ID '621b9f30dd5afcc05ac3ef5c' is not an existing printer."},
method: 'DELETE',
path: '/api/printer/621b9f30dd5afcc05ac3ef5c'

CVE-2022-0686 (Medium) detected in url-parse-1.5.7.tgz - autoclosed

CVE-2022-0686 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.7.tgz

Path to dependency file: /server/package.json

Path to vulnerable library: /server/node_modules/url-parse/package.json

Dependency Hierarchy:

eventsource-1.1.0.tgz (Root Library)
- original-1.0.2.tgz
  - ❌ url-parse-1.5.7.tgz (Vulnerable Library)

Found in base branch: development

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-19

Fix Resolution: url-parse - 1.5.8

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz - autoclosed

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/glob-parent/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
  - ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44906 (Critical) detected in minimist-0.0.10.tgz - autoclosed

CVE-2021-44906 - Critical Severity Vulnerability

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /installations/fdm-monster-node-linux/package.json

Path to vulnerable library: /installations/fdm-monster-node-linux/package.json

Dependency Hierarchy:

node-linux-0.1.12.tgz (Root Library)
- optimist-0.6.1.tgz
  - ❌ minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 8466123131dc14f5afbef4b2b98455eb7ee64eec

Found in base branch: develop

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

Step up your Open Source Security Game with Mend here

[Vue client] Failed to construct URL in `convertPrinterToCreateForm` function

Global Error captured TypeError: Failed to construct 'URL': Invalid URL
at Function.convertPrinterToCreateForm (printers.service.ts?fe1d:18:1)
at VueComponent.created (PrinterCrudForm.vue?551d:159:1)
at invokeWithErrorHandling (vue.runtime.esm.js?c320:1863:1)
at callHook (vue.runtime.esm.js?c320:4235:1)
at VueComponent.Vue._init (vue.runtime.esm.js?c320:5022:1)
at new PrinterCrudForm (vue.runtime.esm.js?c320:5168:1)
at createComponentInstanceForVnode (vue.runtime.esm.js?c320:3304:1)
at init (vue.runtime.esm.js?c320:3133:1)
at createComponent (vue.runtime.esm.js?c320:6022:1)
at createElm (vue.runtime.esm.js?c320:5969:1) VueComponent {_uid: 138, _isVue: true, $options: {…}, _renderProxy: Proxy, _self: VueComponent, …} created hook (Promise/async)

Should be an easy fix

Renovate PR config ignore changes for Node12 and Vue2 packages

Describe the bug

Renovate should ignore major updates for vue-client until #257 goes into effect and the vue client can be removed altogether.
Docker for Node12 should not be updated
Node 17 should not be suggested (or we'd have to ignore that PR)

CVE-2020-8203 (High) detected in lodash-4.17.15.tgz - autoclosed

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/cypress/node_modules/lodash/package.json

Dependency Hierarchy:

cli-plugin-e2e-cypress-4.5.14.tgz (Root Library)
- cypress-3.8.3.tgz
  - ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (@vue/cli-plugin-e2e-cypress): 5.0.0-alpha.0

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz - autoclosed

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/node-forge/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- webpack-dev-server-3.11.2.tgz
  - selfsigned-1.10.11.tgz
    - ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44907 (Low) detected in qs-6.10.3.tgz - autoclosed

CVE-2021-44907 - Low Severity Vulnerability

Vulnerable Library - qs-6.10.3.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.10.3.tgz

Path to dependency file: /server/package.json

Path to vulnerable library: /server/node_modules/superagent/node_modules/qs/package.json,/server-nest/node_modules/qs/package.json

Dependency Hierarchy:

supertest-6.2.2.tgz (Root Library)
- superagent-7.1.1.tgz
  - ❌ qs-6.10.3.tgz (Vulnerable Library)

Found in HEAD commit: 6362d96946b8fe8b940c8a4b6272eaee7282a5e5

Found in base branch: develop

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (3.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: qs - 6.8.1

Step up your Open Source Security Game with WhiteSource here

Bug file-clean filter would delete new files as well

Filter predicate in FilesStore has a bug:

Unix timestamp scale of a day is 86400 per day, which it should be multiplied with

CVE-2021-23424 (High) detected in ansi-html-0.0.7.tgz - autoclosed

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/ansi-html/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- webpack-dev-server-3.11.2.tgz
  - ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28500 (Medium) detected in lodash-4.17.15.tgz - autoclosed

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/cypress/node_modules/lodash/package.json

Dependency Hierarchy:

cli-plugin-e2e-cypress-4.5.14.tgz (Root Library)
- cypress-3.8.3.tgz
  - ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@vue/cli-plugin-e2e-cypress): 5.0.0-alpha.0

Step up your Open Source Security Game with WhiteSource here

Printer Name update does not persist

Each time the server restarts the name rolls back.

Resolution: The .save() method did not update an already existing nested object. Replace with updateOne(...)

CVE-2022-24771 (High) detected in node-forge-1.2.1.tgz - autoclosed

CVE-2022-24771 - High Severity Vulnerability

Vulnerable Library - node-forge-1.2.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/node-forge/package.json

Dependency Hierarchy:

cli-service-5.0.4.tgz (Root Library)
- webpack-dev-server-4.7.4.tgz
  - selfsigned-2.0.0.tgz
    - ❌ node-forge-1.2.1.tgz (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz - autoclosed

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/svgo/node_modules/nth-check/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- cssnano-4.1.11.tgz
  - cssnano-preset-default-4.0.8.tgz
    - postcss-svgo-4.0.3.tgz
      - svgo-1.3.2.tgz
        
        css-select-2.1.0.tgz
        
        ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Step up your Open Source Security Game with WhiteSource here

UPDATE `@fdm-monster/client` will be split to a separate repository

I confirm that I'm a developer of FDM Monster and allowed to use this template.

Description
The client package @fdm-monster/client will move to the repository https://github.com/fdm-monster/fdm-monster-client
This allows us to keep developing the current client version 0.3.3, whilst working on the new Vue3 version of the client.

Prerequisites:

This new version aims to have the following specs:

Add CONTRIBUTOR.md and related sections in README.md

Tips and requirements for contributing

Printer test sidepanel can show old report

I confirm that I'm a developer of FDM Monster and allowed to use this template.
Description

Printer test sidepanel should reset after opening a new printer

Vue serve --progress webpack plugin fails

Quite an old problem seemingly introduced in webpack v4.25.0

CVE-2022-0691 (Medium) detected in url-parse-1.5.7.tgz - autoclosed

CVE-2022-0691 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.7.tgz

Path to dependency file: /server/package.json

Path to vulnerable library: /server/node_modules/url-parse/package.json

Dependency Hierarchy:

eventsource-1.1.0.tgz (Root Library)
- original-1.0.2.tgz
  - ❌ url-parse-1.5.7.tgz (Vulnerable Library)

Found in HEAD commit: 32e6ce3f1f97c7cba90bbd79858996503aab5185

Found in base branch: development

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution: url-parse - 1.5.9

Step up your Open Source Security Game with WhiteSource here

Nest E2E workflow sometimes never stops on GHA

CVE-2021-23337 (High) detected in lodash-4.17.15.tgz - autoclosed

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/cypress/node_modules/lodash/package.json

Dependency Hierarchy:

cli-plugin-e2e-cypress-4.5.14.tgz (Root Library)
- cypress-3.8.3.tgz
  - ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@vue/cli-plugin-e2e-cypress): 5.0.0-alpha.0

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

chore(deps): lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): update dependency eslint-plugin-promise to v6.5.1
fix(deps): update octokit monorepo (major) (@octokit/plugin-throttling, octokit)

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Detected dependencies

docker-compose

docker-compose.yml

mongo 7

fdmmonster/fdm-monster 1.6.2-sqlite

installations/other/home-assistant/docker-compose.yml

installations/other/mosquitto-broker/docker-compose.yml

eclipse-mosquitto 2

installations/other/octofarm/docker-compose.yml

installations/other/octoprint-virtual/docker-compose.simple.yml

octoprint/octoprint 1.10.2

octoprint/octoprint 1.10.2

installations/other/octoprint-virtual/docker-compose.yml

installations/virtual-klipper/docker-compose.yml

dockerfile

docker/Dockerfile

node 18-bookworm-slim

node 18-bookworm-slim

docker/alpha.Dockerfile

node 18-bookworm-slim

node 18-bookworm-slim

docker/test.Dockerfile

node 18-bookworm-slim

installations/other/octoprint-virtual/default1.9.0/octoprint.Dockerfile

octoprint/octoprint 1.10.2

github-actions

.github/workflows/docker_alpha_build.yml

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

docker/setup-qemu-action v3

docker/setup-buildx-action v3

docker/login-action v3

actions/cache v4

docker/build-push-action v6

.github/workflows/docker_arm64_build.yml

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

docker/setup-qemu-action v3

docker/setup-buildx-action v3

docker/login-action v3

actions/cache v4

docker/build-push-action v6

docker/build-push-action v6

.github/workflows/docker_quick_build.yml

crazy-max/ghaction-docker-meta v5

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

docker/setup-qemu-action v3

docker/setup-buildx-action v3

docker/login-action v3

HackerHappyHour/tagging-strategy v3

HackerHappyHour/tagging-strategy v3

actions/cache v4

docker/build-push-action v6

docker/build-push-action v6

.github/workflows/docker_release.yml

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

mukunku/tag-exists-action v1.6.0

crazy-max/ghaction-docker-meta v5

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

docker/setup-qemu-action v3

docker/setup-buildx-action v3

docker/login-action v3

HackerHappyHour/tagging-strategy v3

HackerHappyHour/tagging-strategy v3

actions/cache v4

docker/build-push-action v6

docker/build-push-action v6

.github/workflows/nodejs.yml

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

actions/setup-node v4

codecov/codecov-action v4

JS-DevTools/npm-publish v3

.github/workflows/nodejs_mongodb.yml

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

actions/setup-node v4

.github/workflows/nodejs_release.yml

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

mukunku/tag-exists-action v1.6.0

actions/checkout v4@692973e3d937129bcbf40652eb9f2f61becf3332

actions/setup-node v4

actions/create-release v1

montudor/action-zip v1.0.0

actions/upload-release-asset v1

JS-DevTools/npm-publish v3

npm

package.json

@fdm-monster/client 1.6.0

@influxdata/influxdb-client 1.33.2

@octokit/plugin-throttling 8.2.0

@sentry/node 8.19.0

adm-zip 0.5.14

awilix 10.0.2

awilix-express 9.0.1

axios 1.7.2

bcryptjs 2.4.3

better-sqlite3 11.1.2

cache-manager 4.1.0

class-validator 0.14.1

connect-history-api-fallback 2.0.0

cookie-parser 1.4.6

cors 2.8.5

cross-env 7.0.3

dotenv 16.4.5

eventemitter2 6.4.9

express 4.19.2

form-data 4.0.0

helmet 7.1.0

ip 2.0.1

js-yaml 4.1.0

jsonwebtoken 9.0.2

lodash 4.17.21

luxon 3.4.4

migrate-mongo 11.0.0

mongoose 6.13.0

multer 1.4.5-lts.1

node-input-validator 4.5.1

nodemon 3.1.4

octokit 3.2.1

passport 0.7.0

passport-anonymous 1.0.1

passport-jwt 4.0.1

reflect-metadata 0.2.2

semver 7.6.3

simple-git 3.25.0

socket.io 4.7.5

toad-scheduler 3.0.1

typeorm 0.3.20

uuid 10.0.0

winston 3.13.1

ws 8.18.0

@lcov-viewer/cli 1.3.0

@lcov-viewer/istanbul-report 1.4.0

@swc/cli 0.4.0

@swc/core 1.7.0

@swc/jest 0.2.36

@types/adm-zip 0.5.5

@types/bcryptjs 2.4.6

@types/cache-manager 4.0.6

@types/connect-history-api-fallback 1.5.4

@types/cookie-parser 1.4.7

@types/express 4.17.21

@types/ip 1.1.3

@types/jest 29.5.12

@types/js-yaml 4.0.9

@types/lodash 4.17.7

@types/luxon 3.4.2

@types/migrate-mongo 10.0.4

@types/multer 1.4.11

@types/node 20.14.11

@types/passport-anonymous 1.0.5

@types/passport-jwt 4.0.1

@types/semver 7.5.8

@types/supertest 6.0.2

@types/uuid 10.0.0

@types/ws 8.5.11

chokidar 3.6.0

concurrently 8.2.2

eslint 9.7.0

eslint-config-airbnb-base 15.0.0

eslint-config-prettier 9.1.0

eslint-config-standard 17.1.0

eslint-plugin-import 2.29.1

eslint-plugin-n 17.9.0

eslint-plugin-prettier 4.2.1

eslint-plugin-promise 6.4.0

express-list-routes 1.2.2

jest 29.7.0

jest-27-expect-message 1.1.0

mongodb-memory-server 10.0.0

nock 13.5.4

prettier 2.8.8

supertest 7.0.0

ts-node 10.9.2

typescript 5.5.3

node >= 18.0.0

npm >= 8.1.4

yarn >= 1.22.10

yarn 4.3.1

Check this box to trigger a request for Renovate to run again on this repository

Use better package dependency detection like Renovate

Repo-wide version checking with report in PR makes life easier.

Docker latest tag should not be pushed for dev/unstable branches

I confirm that I'm a developer of FDM Monster and allowed to use this template.
Description
Docker latest tag should not be pushed for dev/unstable branches. This is currently the case.

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz - autoclosed

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/json-schema/package.json

Dependency Hierarchy:

cli-plugin-babel-4.5.14.tgz (Root Library)
- cli-shared-utils-4.5.14.tgz
  - request-2.88.2.tgz
    - http-signature-1.2.0.tgz
      - jsprim-1.4.1.tgz
        
        ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.15

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0144 (High) detected in shelljs-0.8.4.tgz - autoclosed

CVE-2022-0144 - High Severity Vulnerability

Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/shelljs/package.json

Dependency Hierarchy:

vue-cli-plugin-vuetify-2.4.3.tgz (Root Library)
- ❌ shelljs-0.8.4.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: shelljs/shelljs@d919d22

Release Date: 2022-01-11

Fix Resolution: shelljs - 0.8.5

Step up your Open Source Security Game with WhiteSource here

CVE-2021-33587 (High) detected in css-what-3.4.2.tgz - autoclosed

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/svgo/node_modules/css-what/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- cssnano-4.1.11.tgz
  - cssnano-preset-default-4.0.8.tgz
    - postcss-svgo-4.0.3.tgz
      - svgo-1.3.2.tgz
        
        css-select-2.1.0.tgz
        
        ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7598 (Medium) detected in minimist-0.0.10.tgz - autoclosed

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /installations/fdm-monster-node-linux/package.json

Path to vulnerable library: /installations/fdm-monster-node-linux/package.json

Dependency Hierarchy:

node-linux-0.1.12.tgz (Root Library)
- optimist-0.6.1.tgz
  - ❌ minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: develop

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with Mend here

CVE-2021-33502 (High) detected in normalize-url-3.3.0.tgz, normalize-url-1.9.1.tgz - autoclosed

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-3.3.0.tgz, normalize-url-1.9.1.tgz

normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/postcss-normalize-url/node_modules/normalize-url/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- cssnano-4.1.11.tgz
  - cssnano-preset-default-4.0.8.tgz
    - postcss-normalize-url-4.0.1.tgz
      - ❌ normalize-url-3.3.0.tgz (Vulnerable Library)

normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/normalize-url/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- mini-css-extract-plugin-0.9.0.tgz
  - ❌ normalize-url-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Step up your Open Source Security Game with WhiteSource here

Printer Controller Test GET {id} fails 25% of the runs Node14 only

FAIL test/api/printer-controller.test.js
● PrinterController › should be able to DELETE id => ${defaultRoute}/${id} - existing id

expect(received).toEqual(expected) // deep equality

Expected: 200
Received: 404

CVE-2022-0639 (Medium) detected in url-parse-1.5.3.tgz - autoclosed

CVE-2022-0639 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

eventsource-1.1.0.tgz (Root Library)
- original-1.0.2.tgz
  - ❌ url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution: url-parse - 1.5.7

Step up your Open Source Security Game with WhiteSource here

Coverage tile shows unknown

Repo problem

CVE-2022-24773 (Medium) detected in node-forge-1.2.1.tgz - autoclosed

CVE-2022-24773 - Medium Severity Vulnerability

Vulnerable Library - node-forge-1.2.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/node-forge/package.json

Dependency Hierarchy:

cli-service-5.0.4.tgz (Root Library)
- webpack-dev-server-4.7.4.tgz
  - selfsigned-2.0.0.tgz
    - ❌ node-forge-1.2.1.tgz (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with WhiteSource here

Empty response of API mime type should be text or raw (to avoid fallback to XML)

I confirm that I'm a developer of FDM Monster and allowed to use this template.
Description
When sending empty response, Firefox interprets the response type as XML and throws a parsing error. Instead default should be to set to plain/text

Client 0.3.2 - upload message doesnt (always) disappear after upload completion

Check the flow of the event-bus and whether its being handled properly

CVE-2022-0512 (High) detected in url-parse-1.5.3.tgz - autoclosed

CVE-2022-0512 - High Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

eventsource-1.1.0.tgz (Root Library)
- original-1.0.2.tgz
  - ❌ url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution: url-parse - 1.5.6

Step up your Open Source Security Game with WhiteSource here

CVE-2021-43138 (High) detected in async-0.9.2.tgz, async-2.6.3.tgz - autoclosed

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Libraries - async-0.9.2.tgz, async-2.6.3.tgz

async-0.9.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/jake/node_modules/async/package.json

Dependency Hierarchy:

cli-plugin-pwa-5.0.4.tgz (Root Library)
- workbox-webpack-plugin-6.4.2.tgz
  - workbox-build-6.4.2.tgz
    - rollup-plugin-off-main-thread-2.2.3.tgz
      - ejs-3.1.6.tgz
        
        jake-10.8.2.tgz
        
        ❌ async-0.9.2.tgz (Vulnerable Library)

async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/async/package.json

Dependency Hierarchy:

cli-service-5.0.4.tgz (Root Library)
- portfinder-1.0.28.tgz
  - ❌ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 0cbede9a381f60be8e4d475fb1df566d99bce951

Found in base branch: develop

Vulnerability Details

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - v3.2.2

Step up your Open Source Security Game with WhiteSource here

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting String near } ]

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz - autoclosed

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/yargs-parser/package.json

Dependency Hierarchy:

cli-plugin-unit-jest-4.5.14.tgz (Root Library)
- ts-jest-24.3.0.tgz
  - ❌ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (@vue/cli-plugin-unit-jest): 5.0.0-alpha.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/string-width/node_modules/ansi-regex/package.json,/client-vue/node_modules/progress-webpack-plugin/node_modules/ansi-regex/package.json

Dependency Hierarchy:

cli-service-5.0.4.tgz (Root Library)
- progress-webpack-plugin-1.0.12.tgz
  - log-update-2.3.0.tgz
    - wrap-ansi-3.0.1.tgz
      - string-width-2.1.1.tgz
        
        strip-ansi-4.0.0.tgz
        
        ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: develop

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

WS-2021-0153 (High) detected in ejs-2.7.4.tgz - autoclosed

WS-2021-0153 - High Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/ejs/package.json

Dependency Hierarchy:

cli-service-4.5.14.tgz (Root Library)
- webpack-bundle-analyzer-3.9.0.tgz
  - ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 7b578356e8806b3c4fd52846139ac4e710cea975

Found in base branch: development

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mde/ejs#571

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with WhiteSource here

CVE-2022-24772 (High) detected in node-forge-1.2.1.tgz - autoclosed

CVE-2022-24772 - High Severity Vulnerability

Vulnerable Library - node-forge-1.2.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz

Path to dependency file: /client-vue/package.json

Path to vulnerable library: /client-vue/node_modules/node-forge/package.json

Dependency Hierarchy:

cli-service-5.0.4.tgz (Root Library)
- webpack-dev-server-4.7.4.tgz
  - selfsigned-2.0.0.tgz
    - ❌ node-forge-1.2.1.tgz (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with WhiteSource here

Auto Updating to newest stable/dev version

Hey,
update idea: implement automatic updates to the latest stable/ Dev version of fdm-monster to improve the maintain time for the end users.

CVE-2022-24433 (High) detected in simple-git-3.2.6.tgz - autoclosed

CVE-2022-24433 - High Severity Vulnerability

Vulnerable Library - simple-git-3.2.6.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-3.2.6.tgz

Path to dependency file: /server/package.json

Path to vulnerable library: /server/node_modules/simple-git/package.json

Dependency Hierarchy:

❌ simple-git-3.2.6.tgz (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

Publish Date: 2022-03-11

URL: CVE-2022-24433

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

fdm-monster / fdm-monster Goto Github PK

fdm-monster's Introduction

FDM Monster

Support the project

What is FDM Monster?

Features

Getting started

Reach out for questions

Contributors ✨

Sponsors

Contribute

Development Progress

License

Historical Note

fdm-monster's People

Contributors

Stargazers

Watchers

Forkers

fdm-monster's Issues

CVE-2022-24785 - High Severity Vulnerability

WS-2022-0008 - Medium Severity Vulnerability

CVE-2022-0686 - Medium Severity Vulnerability

CVE-2020-28469 - High Severity Vulnerability

CVE-2021-44906 - Critical Severity Vulnerability

CVE-2020-8203 - High Severity Vulnerability

CVE-2022-0122 - Medium Severity Vulnerability

CVE-2021-44907 - Low Severity Vulnerability

CVE-2021-23424 - High Severity Vulnerability

CVE-2020-28500 - Medium Severity Vulnerability

CVE-2022-24771 - High Severity Vulnerability

CVE-2021-3803 - High Severity Vulnerability

CVE-2022-0691 - Medium Severity Vulnerability

CVE-2021-23337 - High Severity Vulnerability

Awaiting Schedule

Open

Ignored or Blocked

Detected dependencies

CVE-2021-3918 - High Severity Vulnerability

CVE-2022-0144 - High Severity Vulnerability

CVE-2021-33587 - High Severity Vulnerability

CVE-2020-7598 - Medium Severity Vulnerability

CVE-2021-33502 - High Severity Vulnerability

CVE-2022-0639 - Medium Severity Vulnerability

CVE-2022-24773 - Medium Severity Vulnerability

CVE-2022-0512 - High Severity Vulnerability

CVE-2021-43138 - High Severity Vulnerability

CVE-2020-7608 - Medium Severity Vulnerability

CVE-2021-3807 - High Severity Vulnerability

WS-2021-0153 - High Severity Vulnerability

CVE-2022-24772 - High Severity Vulnerability

CVE-2022-24433 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org