kapseliboi / doit Goto Github PK
View Code? Open in Web Editor NEWThis project forked from heige-pcloud/doit
A clean, elegant and advanced blog theme for Hugo.
Home Page: https://hugodoit.pages.dev
License: MIT License
This project forked from heige-pcloud/doit
A clean, elegant and advanced blog theme for Hugo.
Home Page: https://hugodoit.pages.dev
License: MIT License
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/word-wrap/package.json
Dependency Hierarchy:
Found in base branch: main
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution: word-wrap - 1.2.4
Step up your Open Source Security Game with Mend here
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: main
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (eslint): 8.0.0
Step up your Open Source Security Game with Mend here
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: main
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Step up your Open Source Security Game with Mend here
simple persistent cookiejar system
Library home page: https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cookiejar/package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
Publish Date: 2023-01-18
URL: CVE-2022-25901
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-18
Fix Resolution (cookiejar): 2.1.4
Direct dependency fix Resolution (valine): 1.4.17
Step up your Open Source Security Game with Mend here
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.14.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in base branch: main
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution: @babel/traverse - 7.23.2
Step up your Open Source Security Game with Mend here
Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.
Library home page: https://registry.npmjs.org/mermaid/-/mermaid-8.13.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mermaid/package.json
Dependency Hierarchy:
Found in base branch: main
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary CSS
into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS
selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value
attribute one character at a time. Whenever there is an actual match, an http
request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to Information Disclosure
via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
Publish Date: 2022-06-28
URL: CVE-2022-31108
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x3vm-38hw-55wf
Release Date: 2022-06-28
Fix Resolution: 9.1.3
Step up your Open Source Security Game with Mend here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: main
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (eslint-plugin-import): 2.26.0
Step up your Open Source Security Game with Mend here
Protocol Buffers for JavaScript. Finally.
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-5.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/protobufjs/package.json
Dependency Hierarchy:
Found in base branch: main
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
Publish Date: 2022-05-27
URL: CVE-2022-25878
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878
Release Date: 2022-05-27
Fix Resolution: protobufjs - 6.10.3,6.11.3
Step up your Open Source Security Game with Mend here
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tsconfig-paths/node_modules/json5/package.json
Dependency Hierarchy:
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (eslint-plugin-import): 2.26.0
Step up your Open Source Security Game with Mend here
A simple comment system based on Leancloud.
Library home page: https://registry.npmjs.org/valine/-/valine-1.4.16.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/valine/package.json
Dependency Hierarchy:
Found in base branch: main
Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.
Publish Date: 2022-09-19
URL: CVE-2022-38545
Base Score Metrics:
Step up your Open Source Security Game with Mend here
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/core-js-compat/node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/preset-env/node_modules/semver/package.json,/node_modules/@babel/plugin-transform-runtime/node_modules/semver/package.json,/node_modules/babel-plugin-polyfill-corejs2/node_modules/semver/package.json,/node_modules/@babel/helper-define-polyfill-provider/node_modules/semver/package.json,/node_modules/eslint-plugin-node/node_modules/semver/package.json,/node_modules/@babel/helper-compilation-targets/node_modules/semver/package.json,/node_modules/@babel/core/node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@leancloud/adapters-superagent/node_modules/semver/package.json,/node_modules/eslint/node_modules/semver/package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (eslint): 8.7.0
Step up your Open Source Security Game with Mend here
A url sanitizer
Library home page: https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@braintree/sanitize-url/package.json
Dependency Hierarchy:
Found in base branch: main
The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.
Publish Date: 2022-03-16
URL: CVE-2021-23648
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23648
Release Date: 2022-03-16
Fix Resolution (@braintree/sanitize-url): 6.0.0
Direct dependency fix Resolution (mermaid): 9.0.0
Step up your Open Source Security Game with Mend here
Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).
Library home page: https://registry.npmjs.org/d3-color/-/d3-color-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/d3-color/package.json
Dependency Hierarchy:
Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).
Library home page: https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dagre-d3/node_modules/d3-color/package.json
Dependency Hierarchy:
Found in base branch: main
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
Publish Date: 2022-09-29
URL: WS-2022-0322
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-36jr-mh4h-2g58
Release Date: 2022-09-29
Fix Resolution (d3-color): 3.1.0
Direct dependency fix Resolution (mermaid): 8.14.0
Fix Resolution (d3-color): 3.1.0
Direct dependency fix Resolution (mermaid): 8.14.0
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.