UNPKG

6.53 kBPlain TextView Raw
1{
2 "actions": [
3 {
4 "isMajor": true,
5 "action": "install",
6 "resolves": [
7 {
8 "id": 1179,
9 "path": "tar>mkdirp>minimist",
10 "dev": false,
11 "optional": false,
12 "bundled": false
13 }
14 ],
15 "module": "tar",
16 "target": "6.0.1"
17 },
18 {
19 "isMajor": true,
20 "action": "install",
21 "resolves": [
22 {
23 "id": 1179,
24 "path": "nyc>spawn-wrap>mkdirp>minimist",
25 "dev": true,
26 "optional": false,
27 "bundled": false
28 }
29 ],
30 "module": "nyc",
31 "target": "15.0.0"
32 },
33 {
34 "action": "update",
35 "resolves": [
36 {
37 "id": 1179,
38 "path": "nyc>istanbul-reports>handlebars>optimist>minimist",
39 "dev": true,
40 "optional": false,
41 "bundled": false
42 }
43 ],
44 "module": "istanbul-reports",
45 "target": "2.2.7",
46 "depth": 2
47 },
48 {
49 "action": "update",
50 "resolves": [
51 {
52 "id": 1488,
53 "path": "eslint>espree>acorn",
54 "dev": true,
55 "optional": false,
56 "bundled": false
57 }
58 ],
59 "module": "acorn",
60 "target": "7.1.1",
61 "depth": 3
62 },
63 {
64 "action": "review",
65 "module": "minimist",
66 "resolves": [
67 {
68 "id": 1179,
69 "path": "eslint>file-entry-cache>flat-cache>write>mkdirp>minimist",
70 "dev": true,
71 "optional": false,
72 "bundled": false
73 },
74 {
75 "id": 1179,
76 "path": "eslint>mkdirp>minimist",
77 "dev": true,
78 "optional": false,
79 "bundled": false
80 },
81 {
82 "id": 1179,
83 "path": "mocha>mkdirp>minimist",
84 "dev": true,
85 "optional": false,
86 "bundled": false
87 },
88 {
89 "id": 1179,
90 "path": "mocha-jenkins-reporter>mocha>mkdirp>minimist",
91 "dev": true,
92 "optional": false,
93 "bundled": false
94 },
95 {
96 "id": 1179,
97 "path": "mocha-jenkins-reporter>mkdirp>minimist",
98 "dev": true,
99 "optional": false,
100 "bundled": false
101 }
102 ]
103 }
104 ],
105 "advisories": {
106 "1179": {
107 "findings": [
108 {
109 "version": "0.0.8",
110 "paths": [
111 "tar>mkdirp>minimist",
112 "eslint>file-entry-cache>flat-cache>write>mkdirp>minimist",
113 "eslint>mkdirp>minimist",
114 "mocha>mkdirp>minimist",
115 "mocha-jenkins-reporter>mocha>mkdirp>minimist",
116 "mocha-jenkins-reporter>mkdirp>minimist",
117 "nyc>spawn-wrap>mkdirp>minimist",
118 "nyc>istanbul-reports>handlebars>optimist>minimist"
119 ]
120 }
121 ],
122 "id": 1179,
123 "created": "2019-09-23T15:01:43.049Z",
124 "updated": "2020-03-18T14:04:28.867Z",
125 "deleted": null,
126 "title": "Prototype Pollution",
127 "found_by": {
128 "link": "https://www.checkmarx.com/resources/blog/",
129 "name": "Checkmarx Research Team",
130 "email": ""
131 },
132 "reported_by": {
133 "link": "https://www.checkmarx.com/resources/blog/",
134 "name": "Checkmarx Research Team",
135 "email": ""
136 },
137 "module_name": "minimist",
138 "cves": [],
139 "vulnerable_versions": "<0.2.1 || >=1.0.0 <1.2.3",
140 "patched_versions": ">=0.2.1 <1.0.0 || >=1.2.3",
141 "overview": "Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n",
142 "recommendation": "Upgrade to versions 0.2.1, 1.2.3 or later.",
143 "references": "- [GitHub commit 1](https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95)\n- [GitHub commit 2](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)",
144 "access": "public",
145 "severity": "moderate",
146 "cwe": "CWE-471",
147 "metadata": {
148 "module_type": "",
149 "exploitability": 2,
150 "affected_components": ""
151 },
152 "url": "https://npmjs.com/advisories/1179"
153 },
154 "1488": {
155 "findings": [
156 {
157 "version": "7.0.0",
158 "paths": [
159 "eslint>espree>acorn"
160 ]
161 }
162 ],
163 "id": 1488,
164 "created": "2020-03-02T19:21:25.485Z",
165 "updated": "2020-03-10T17:44:45.038Z",
166 "deleted": null,
167 "title": "Regular Expression Denial of Service",
168 "found_by": {
169 "link": "",
170 "name": "Peter van der Zee",
171 "email": ""
172 },
173 "reported_by": {
174 "link": "",
175 "name": "Peter van der Zee",
176 "email": ""
177 },
178 "module_name": "acorn",
179 "cves": [],
180 "vulnerable_versions": ">=5.5.0 <5.7.4 || >=6.0.0 <6.4.1 || >=7.0.0 <7.1.1",
181 "patched_versions": ">=5.7.4 <6.0.0 || >=6.4.1 <7.0.0 || >=7.1.1",
182 "overview": "Affected versions of `acorn` are vulnerable to Regular Expression Denial of Service. A regex in the form of `/[x-\\ud800]/u` causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to `acorn`, attackers may leverage the vulnerability leading to Denial of Service.",
183 "recommendation": "Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later.",
184 "references": "",
185 "access": "public",
186 "severity": "moderate",
187 "cwe": "CWE-400",
188 "metadata": {
189 "module_type": "",
190 "exploitability": 3,
191 "affected_components": ""
192 },
193 "url": "https://npmjs.com/advisories/1488"
194 }
195 },
196 "muted": [],
197 "metadata": {
198 "vulnerabilities": {
199 "info": 0,
200 "low": 0,
201 "moderate": 9,
202 "high": 0,
203 "critical": 0
204 },
205 "dependencies": 165,
206 "devDependencies": 743,
207 "optionalDependencies": 11,
208 "totalDependencies": 916
209 },
210 "runId": "ef64108c-7566-48bc-8b99-f934b8e65b24"
211}