dmyers87 / feedback-component Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ramseyinhouse/feedback-component
A native web component for collecting quick user feedback.
License: GNU General Public License v3.0
This project forked from ramseyinhouse/feedback-component
A native web component for collecting quick user feedback.
License: GNU General Public License v3.0
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (microbundle): 0.13.1
Cypress's fork of a simplified HTTP request client.
Library home page: https://registry.npmjs.org/@cypress/request/-/request-2.88.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@cypress/request/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Wrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/word-wrap/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution: word-wrap - 1.2.4
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (sass): 1.32.12
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.12.12.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.14.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (microbundle): 0.13.1
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (stylelint): 14.0.0-0
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (eslint): 8.7.0
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (stylelint): 16.0.0-0
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 3.2.2
Direct dependency fix Resolution (cypress): 7.2.0
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (microbundle): 0.13.1
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (microbundle): 0.13.1
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (microbundle): 0.13.1
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 8.2.10
Direct dependency fix Resolution (microbundle): 0.13.1
Fix Resolution (postcss): 8.2.10
Direct dependency fix Resolution (microbundle): 0.13.1
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (microbundle): 0.13.1
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (microbundle): 0.13.1
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (microbundle): 0.13.1
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (eslint): 7.25.0
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (cypress): 7.2.0
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (microbundle): 0.13.1
get colors in your node.js console
Library home page: https://registry.npmjs.org/colors/-/colors-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/colors/package.json
Dependency Hierarchy:
Found in base branch: master
The package colors after 1.4.0 are vulnerable to Denial of Service (DoS) that was introduced through an infinite loop in the americanFlag module. Unfortunately this appears to have been a purposeful attempt by a maintainer of colors to make the package unusable, other maintainers' controls over this package appear to have been revoked in an attempt to prevent them from fixing the issue. Vulnerable Code js for (let i = 666; i < Infinity; i++;) { Alternative Remediation Suggested * Pin dependancy to 1.4.0
Publish Date: 2022-01-14
URL: CVE-2021-23567
Base Score Metrics:
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (microbundle): 0.13.1
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (microbundle): 0.13.1
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
Base Score Metrics:
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (serve): 12.0.0
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (microbundle): 0.13.1
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (cypress): 7.2.0
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (microbundle): 0.13.1
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270
Release Date: 2023-09-29
Fix Resolution: postcss - 8.4.31
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (stylelint): 14.3.0
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
Found in base branch: master
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (cypress): 7.2.0
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (microbundle): 0.13.1
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
Found in base branch: master
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.14.2
Direct dependency fix Resolution (microbundle): 0.13.1
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (microbundle): 0.13.1
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (microbundle): 0.13.1
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (stylelint): 14.0.0-0
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: d9179754f1b9c5ba9593a2693ba3140d5dc67e69
Found in base branch: master
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (microbundle): 0.13.1
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (microbundle): 0.13.1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.