demo-mcw-addlabels's People
demo-mcw-addlabels's Issues
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Rate-Limited
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
- Replace dependency npm-run-all with npm-run-all2 5.0.0
- Update dependency ts-node to v10.9.2
- Update dependency @ls-lint/ls-lint to v2
- Update dependency @types/node to v20
- Update dependency eslint-config-prettier to v9
- Update dependency husky to v9
- Update dependency jest-extended to v4
- Update dependency prettier to v3
- Update dependency pretty-quick to v4
- Update typescript-eslint monorepo to v7 (major) (
@typescript-eslint/eslint-plugin
,@typescript-eslint/parser
) - π Create all rate-limited PRs at once π
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- Update dependency renovate to v35
- Update dependency @types/node to v16.18.87
- Update dependency @types/shelljs to v0.8.15
- Update dependency eslint-formatter-gha to v1.4.3
- Update dependency husky to v8.0.3
- Update dependency jest-extended to v3.2.4
- Update dependency jest-mock-extended to v3.0.5
- Update dependency eslint to v8.57.0 (
eslint
,@types/eslint
) - Update dependency eslint-config-prettier to v8.10.0
- Update dependency eslint-import-resolver-typescript to v3.6.1
- Update dependency eslint-plugin-import to v2.29.1
- Update dependency eslint-plugin-jest to v27.9.0
- Update dependency eslint-plugin-promise to v6.1.1
- Update dependency expect-more-jest to v5.5.0
- Update dependency prettier to v2.8.8
- Update dependency ts-jest to v29.1.2
- Update dependency typescript to v4.9.5
- Update jest monorepo (
@jest/globals
,@jest/reporters
,@jest/test-result
,@types/jest
,jest
) - Update typescript-eslint monorepo to v5.62.0 (
@typescript-eslint/eslint-plugin
,@typescript-eslint/parser
) - Update dependency jest-junit to v16
- Update dependency typescript to v5
- Click on this checkbox to rebase all open PRs at once
Detected dependencies
npm
package.json
renovate 34.152.2
@jest/globals 29.3.1
@jest/reporters 29.3.1
@jest/test-result 29.3.1
@ls-lint/ls-lint 1.11.2
@renovate/eslint-plugin v0.0.5
@types/eslint 8.21.0
@types/jest 29.2.4
@types/node 16.18.12
@types/shelljs 0.8.11
@typescript-eslint/eslint-plugin 5.51.0
@typescript-eslint/parser 5.51.0
cross-env 7.0.3
eslint 8.33.0
eslint-config-prettier 8.5.0
eslint-formatter-gha 1.4.1
eslint-import-resolver-typescript 3.5.1
eslint-plugin-import 2.26.0
eslint-plugin-jest 27.1.6
eslint-plugin-jest-formatting 3.1.0
eslint-plugin-promise 6.0.1
eslint-plugin-typescript-enum 2.1.0
expect-more-jest 5.4.1
husky 8.0.2
jest 29.3.1
jest-extended 3.2.0
jest-junit 15.0.0
jest-mock-extended 3.0.1
npm-run-all 4.1.5
prettier 2.7.1
pretty-quick ^3.1.3
shelljs 0.8.5
ts-jest 29.0.3
ts-node 10.9.1
tsconfig-paths ^4.1.1
typescript 4.8.4
renovate-34.152.2.tgz: 4 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - renovate-34.152.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/openpgp/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (renovate version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-34104 | High | 7.5 | fast-xml-parser-4.0.11.tgz | Transitive | 35.113.2 | β |
CVE-2022-25883 | High | 7.5 | detected in multiple dependencies | Transitive | 35.115.0 | β |
CVE-2023-26920 | Medium | 6.5 | fast-xml-parser-4.0.11.tgz | Transitive | 34.154.6 | β |
CVE-2023-41037 | Medium | 4.3 | openpgp-5.5.0.tgz | Transitive | 35.60.0 | β |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-34104
Vulnerable Library - fast-xml-parser-4.0.11.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- client-ec2-3.256.0.tgz
- β fast-xml-parser-4.0.11.tgz (Vulnerable Library)
- client-ec2-3.256.0.tgz
Found in base branch: main
Vulnerability Details
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false
option.
Publish Date: 2023-06-06
URL: CVE-2023-34104
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6w63-h3fj-q4vw
Release Date: 2023-06-06
Fix Resolution (fast-xml-parser): 4.2.4
Direct dependency fix Resolution (renovate): 35.113.2
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2022-25883
Vulnerable Libraries - semver-7.5.0.tgz, semver-6.3.0.tgz, semver-5.7.1.tgz, semver-7.3.8.tgz
semver-7.5.0.tgz
Library home page: https://registry.npmjs.org/semver/-/semver-7.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@opentelemetry/instrumentation-http/node_modules/semver/package.json,/node_modules/editorconfig/node_modules/semver/package.json,/node_modules/@opentelemetry/sdk-trace-node/node_modules/semver/package.json,/node_modules/make-fetch-happen/node_modules/semver/package.json,/node_modules/@npmcli/fs/node_modules/semver/package.json,/node_modules/git-raw-commits/node_modules/semver/package.json,/node_modules/@yarnpkg/core/node_modules/semver/package.json,/node_modules/global-agent/node_modules/semver/package.json,/node_modules/builtins/node_modules/semver/package.json,/node_modules/@opentelemetry/instrumentation/node_modules/semver/package.json,/node_modules/node-gyp/node_modules/semver/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- global-agent-3.0.0.tgz
- β semver-7.5.0.tgz (Vulnerable Library)
- global-agent-3.0.0.tgz
semver-6.3.0.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- semver-stable-3.0.0.tgz
- β semver-6.3.0.tgz (Vulnerable Library)
- semver-stable-3.0.0.tgz
semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-package-data/node_modules/semver/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- conventional-commits-detector-1.0.3.tgz
- meow-7.1.1.tgz
- normalize-package-data-2.5.0.tgz
- β semver-5.7.1.tgz (Vulnerable Library)
- normalize-package-data-2.5.0.tgz
- meow-7.1.1.tgz
- conventional-commits-detector-1.0.3.tgz
semver-7.3.8.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/renovate/node_modules/semver/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- β semver-7.3.8.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2023-26920
Vulnerable Library - fast-xml-parser-4.0.11.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- client-ec2-3.256.0.tgz
- β fast-xml-parser-4.0.11.tgz (Vulnerable Library)
- client-ec2-3.256.0.tgz
Found in base branch: main
Vulnerability Details
fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.
Publish Date: 2023-12-12
URL: CVE-2023-26920
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-x3cc-x39p-42qx
Release Date: 2023-02-27
Fix Resolution (fast-xml-parser): 4.1.2
Direct dependency fix Resolution (renovate): 34.154.6
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2023-41037
Vulnerable Library - openpgp-5.5.0.tgz
OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.
Library home page: https://registry.npmjs.org/openpgp/-/openpgp-5.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/openpgp/package.json
Dependency Hierarchy:
- renovate-34.152.2.tgz (Root Library)
- β openpgp-5.5.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned verified
property, discarding the associated data
information, and instead visually trusting the contents of the original message. Since verificationResult.data
would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using getText()
or the text
field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using armor()
will also result in a "sanitised" version, with the extraneous text being removed. This issue has been addressed in version 5.10.1 (current stable version) which will reject messages when calling openpgp.readCleartextMessage()
and in version 4.10.11 (legacy version) which will will reject messages when calling openpgp.cleartext.readArmored()
. Users are advised to upgrade. Users unable to upgrade should check the contents of verificationResult.data
to see what data was actually signed, rather than visually trusting the contents of the armored message.
Publish Date: 2023-08-29
URL: CVE-2023-41037
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-ch3c-v47x-4pgp
Release Date: 2023-08-29
Fix Resolution (openpgp): 5.10.1
Direct dependency fix Resolution (renovate): 35.60.0
βοΈ Automatic Remediation will be attempted for this issue.
βοΈAutomatic Remediation will be attempted for this issue.
Dependency Dashboard - Closed by JustoMend
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Rate-Limited
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
- Update dependency eslint-formatter-gha to v1.4.2
- Update dependency eslint-import-resolver-typescript to v3.5.5
- Update dependency husky to v8.0.3
- Update dependency jest-extended to v3.2.4
- Update dependency jest-mock-extended to v3.0.4
- Update dependency eslint to v8.39.0 (
eslint
,@types/eslint
) - Update dependency eslint-config-prettier to v8.8.0
- Update dependency eslint-plugin-import to v2.27.5
- Update dependency eslint-plugin-jest to v27.2.1
- Update dependency eslint-plugin-promise to v6.1.1
- Update dependency expect-more-jest to v5.5.0
- Update dependency prettier to v2.8.8
- Update dependency renovate to v34.160.0
- Update dependency ts-jest to v29.1.0
- Update dependency typescript to v4.9.5
- Update jest monorepo (
@jest/globals
,@jest/reporters
,@jest/test-result
,@types/jest
,jest
) - Update typescript-eslint monorepo to v5.59.1 (
@typescript-eslint/eslint-plugin
,@typescript-eslint/parser
) - Update dependency @types/node to v18
- Update dependency jest-junit to v16
- Update dependency renovate to v35
- Update dependency typescript to v5
- π Create all rate-limited PRs at once π
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
Detected dependencies
npm
package.json
renovate 34.152.2
@jest/globals 29.3.1
@jest/reporters 29.3.1
@jest/test-result 29.3.1
@ls-lint/ls-lint 1.11.2
@renovate/eslint-plugin v0.0.5
@types/eslint 8.21.0
@types/jest 29.2.4
@types/node 16.18.12
@types/shelljs 0.8.11
@typescript-eslint/eslint-plugin 5.51.0
@typescript-eslint/parser 5.51.0
cross-env 7.0.3
eslint 8.33.0
eslint-config-prettier 8.5.0
eslint-formatter-gha 1.4.1
eslint-import-resolver-typescript 3.5.1
eslint-plugin-import 2.26.0
eslint-plugin-jest 27.1.6
eslint-plugin-jest-formatting 3.1.0
eslint-plugin-promise 6.0.1
eslint-plugin-typescript-enum 2.1.0
expect-more-jest 5.4.1
husky 8.0.2
jest 29.3.1
jest-extended 3.2.0
jest-junit 15.0.0
jest-mock-extended 3.0.1
npm-run-all 4.1.5
prettier 2.7.1
pretty-quick ^3.1.3
shelljs 0.8.5
ts-jest 29.0.3
ts-node 10.9.1
tsconfig-paths ^4.1.1
typescript 4.8.4
- Check this box to trigger a request for Renovate to run again on this repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.