kapseliboi / kefir Goto Github PK
View Code? Open in Web Editor NEWThis project forked from kefirjs/kefir
A Reactive Programming library for JavaScript
Home Page: https://kefirjs.github.io/kefir/
License: MIT License
This project forked from kefirjs/kefir
A Reactive Programming library for JavaScript
Home Page: https://kefirjs.github.io/kefir/
License: MIT License
Object value retrieval given a string path
Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pathval/package.json
Dependency Hierarchy:
Found in base branch: master
pathval before version 1.1.1 is vulnerable to prototype pollution.
Publish Date: 2020-10-26
URL: CVE-2020-7751
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751
Release Date: 2020-10-26
Fix Resolution (pathval): 1.1.1
Direct dependency fix Resolution (chai): 4.3.0
Step up your Open Source Security Game with Mend here
A clean, whitespace-sensitive template language for writing HTML
Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pug/package.json
Dependency Hierarchy:
Found in base branch: master
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty
option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty
option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Publish Date: 2021-03-03
URL: CVE-2021-21353
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p493-635q-r6gr
Release Date: 2021-03-03
Fix Resolution: 3.0.0-canary-1
Step up your Open Source Security Game with Mend here
JSON for the ES5 era.
Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: master
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (rollup-plugin-babel): 3.0.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pathval/package.json
Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-7751 | High | 7.2 | pathval-1.1.0.tgz | Transitive | 4.3.0 |
Object value retrieval given a string path
Library home page: https://registry.npmjs.org/pathval/-/pathval-1.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pathval/package.json
Dependency Hierarchy:
Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496
Found in base branch: master
pathval before version 1.1.1 is vulnerable to prototype pollution.
Publish Date: 2020-10-26
URL: CVE-2020-7751
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751
Release Date: 2020-10-26
Fix Resolution (pathval): 1.1.1
Direct dependency fix Resolution (chai): 4.3.0
Step up your Open Source Security Game with WhiteSource here
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cliui/node_modules/ansi-regex/package.json,/node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/yargs/node_modules/ansi-regex/package.json,/node_modules/inquirer/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/string-width/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (inquirer): 7.0.5
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (inquirer): 6.4.0
Step up your Open Source Security Game with Mend here
A clean, whitespace-sensitive template language for writing HTML
Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pug/package.json
Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-21353 | High | 9.0 | pug-2.0.4.tgz | Direct | 3.0.0-canary-1 |
A clean, whitespace-sensitive template language for writing HTML
Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pug/package.json
Dependency Hierarchy:
Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496
Found in base branch: master
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty
option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty
option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Publish Date: 2021-03-03
URL: CVE-2021-21353
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p493-635q-r6gr
Release Date: 2021-03-03
Fix Resolution: 3.0.0-canary-1
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/string-width/node_modules/ansi-regex/package.json
Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3807 | High | 7.5 | multiple | Transitive | 7.0.5 |
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cliui/node_modules/ansi-regex/package.json,/node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/yargs/node_modules/ansi-regex/package.json,/node_modules/inquirer/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/string-width/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: f3296c05df6d6dd40c762129c26a928187b17496
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (inquirer): 7.0.5
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (inquirer): 7.0.5
Step up your Open Source Security Game with WhiteSource here
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-6.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/package.json
Dependency Hierarchy:
Found in base branch: master
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: 2021-09-18
URL: WS-2021-0638
Base Score Metrics:
Step up your Open Source Security Game with Mend here
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/rollup-plugin-commonjs/node_modules/acorn/package.json
Dependency Hierarchy:
Found in base branch: master
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (rollup-plugin-commonjs): 9.0.0
Step up your Open Source Security Game with Mend here
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Step up your Open Source Security Game with Mend here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (mocha): 7.0.0-esm1
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.