kaidisn / encore Goto Github PK
View Code? Open in Web Editor NEWThis project forked from encoredev/encore
The Backend Development Engine built for Go
Home Page: https://encore.dev
License: Mozilla Public License 2.0
This project forked from encoredev/encore
The Backend Development Engine built for Go
Home Page: https://encore.dev
License: Mozilla Public License 2.0
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/json5/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@vitejs/plugin-react-refresh): 1.3.0
⛑️ Automatic Remediation is available for this issue
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (tailwindcss): 2.0.3
⛑️ Automatic Remediation is available for this issue
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: main
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (tailwindcss): 2.0.3
⛑️ Automatic Remediation is available for this issue
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.23.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/nanoid/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (postcss): 8.3.0
⛑️ Automatic Remediation is available for this issue
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28851
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28851
Release Date: 2021-01-02
Fix Resolution: golang-golang-x-text-dev - 0.3.6-1,0.3.6-1
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (tailwindcss): 2.0.3
⛑️ Automatic Remediation is available for this issue
[mirror] Go supplementary cryptography libraries
Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.0.0-20200707235045-ab33eee955e0.zip
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
Publish Date: 2022-09-06
URL: CVE-2021-43565
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565
Release Date: 2021-11-10
Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Publish Date: 2022-12-26
URL: CVE-2021-38561
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/browserslist/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (autoprefixer): 10.2.5
⛑️ Automatic Remediation is available for this issue
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (tailwindcss): 2.0.3
⛑️ Automatic Remediation is available for this issue
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/postcss-functions/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (tailwindcss): 2.1.2-internal.1
⛑️ Automatic Remediation is available for this issue
[mirror] Go Tools
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
[mirror] Go supplementary cryptography libraries
Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.0.0-20200707235045-ab33eee955e0.zip
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
Publish Date: 2020-12-17
URL: CVE-2020-29652
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
Release Date: 2020-12-17
Fix Resolution: v0.0.0-20201216223049-8b5274cf687f
A golang library for building interactive prompts with full support for windows and posix terminals.
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
[mirror] Go Tools
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.3.zip
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
Publish Date: 2021-01-02
URL: CVE-2020-28852
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-28852
Release Date: 2021-01-02
Fix Resolution: golang-golang-x-text-dev - 0.3.5-1,0.3.5-1
Immutable date wrapper
Library home page: https://registry.npmjs.org/luxon/-/luxon-1.25.0.tgz
Path to dependency file: /cli/daemon/dash/dashapp/package.json
Path to vulnerable library: /cli/daemon/dash/dashapp/node_modules/luxon/package.json
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.
Publish Date: 2023-01-04
URL: CVE-2023-22467
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3xq5-wjfh-ppjc
Release Date: 2023-01-04
Fix Resolution: 1.28.1
⛑️ Automatic Remediation is available for this issue
[mirror] Go Tools
Dependency Hierarchy:
Found in HEAD commit: 7f308ee27451ab65e928f17d457ffcc5ece46781
Found in base branch: main
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.