justo-mend / demo-mcw-suppressed Goto Github PK
View Code? Open in Web Editor NEWDemonstrates suppressing low and neutral confidence updates
Demonstrates suppressing low and neutral confidence updates
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These branches will be created by Renovate only once you click their checkbox below.
eslint
, @types/eslint
)@jest/globals
, @jest/reporters
, @jest/test-result
, @types/jest
, jest
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
)These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
)package.json
renovate 34.152.2
@jest/globals 29.3.1
@jest/reporters 29.3.1
@jest/test-result 29.3.1
@ls-lint/ls-lint 1.11.2
@renovate/eslint-plugin v0.0.5
@types/eslint 8.21.0
@types/jest 29.2.4
@types/node 16.18.12
@types/shelljs 0.8.11
@typescript-eslint/eslint-plugin 5.51.0
@typescript-eslint/parser 5.51.0
cross-env 7.0.3
eslint 8.33.0
eslint-config-prettier 8.5.0
eslint-formatter-gha 1.4.1
eslint-import-resolver-typescript 3.5.1
eslint-plugin-import 2.26.0
eslint-plugin-jest 27.1.6
eslint-plugin-jest-formatting 3.1.0
eslint-plugin-promise 6.0.1
eslint-plugin-typescript-enum 2.1.0
expect-more-jest 5.4.1
husky 8.0.2
jest 29.3.1
jest-extended 3.2.0
jest-junit 15.0.0
jest-mock-extended 3.0.1
npm-run-all 4.1.5
prettier 2.7.1
pretty-quick ^3.1.3
shelljs 0.8.5
ts-jest 29.0.3
ts-node 10.9.1
tsconfig-paths ^4.1.1
typescript 4.8.3
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (renovate version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-34104 | High | 7.5 | fast-xml-parser-4.0.11.tgz | Transitive | 35.113.2 | β |
CVE-2022-25883 | High | 7.5 | detected in multiple dependencies | Transitive | 35.115.0 | β |
CVE-2023-26920 | Medium | 6.5 | fast-xml-parser-4.0.11.tgz | Transitive | 34.154.6 | β |
CVE-2023-41037 | Medium | 4.3 | openpgp-5.5.0.tgz | Transitive | 35.60.0 | β |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
Found in base branch: main
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false
option.
Publish Date: 2023-06-06
URL: CVE-2023-34104
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6w63-h3fj-q4vw
Release Date: 2023-06-06
Fix Resolution (fast-xml-parser): 4.2.4
Direct dependency fix Resolution (renovate): 35.113.2
βοΈ Automatic Remediation will be attempted for this issue.
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/git-raw-commits/node_modules/semver/package.json,/node_modules/make-fetch-happen/node_modules/semver/package.json,/node_modules/@opentelemetry/sdk-trace-node/node_modules/semver/package.json,/node_modules/@npmcli/fs/node_modules/semver/package.json,/node_modules/node-gyp/node_modules/semver/package.json,/node_modules/builtins/node_modules/semver/package.json,/node_modules/@yarnpkg/core/node_modules/semver/package.json,/node_modules/global-agent/node_modules/semver/package.json,/node_modules/editorconfig/node_modules/semver/package.json,/node_modules/@opentelemetry/instrumentation-http/node_modules/semver/package.json,/node_modules/renovate/node_modules/semver/package.json,/node_modules/@opentelemetry/instrumentation/node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-package-data/node_modules/semver/package.json
Dependency Hierarchy:
Found in base branch: main
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (renovate): 35.115.0
βοΈ Automatic Remediation will be attempted for this issue.
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.0.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/fast-xml-parser/package.json
Dependency Hierarchy:
Found in base branch: main
fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.
Publish Date: 2023-12-12
URL: CVE-2023-26920
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-x3cc-x39p-42qx
Release Date: 2023-02-27
Fix Resolution (fast-xml-parser): 4.1.2
Direct dependency fix Resolution (renovate): 34.154.6
βοΈ Automatic Remediation will be attempted for this issue.
OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.
Library home page: https://registry.npmjs.org/openpgp/-/openpgp-5.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/openpgp/package.json
Dependency Hierarchy:
Found in base branch: main
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned verified
property, discarding the associated data
information, and instead visually trusting the contents of the original message. Since verificationResult.data
would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using getText()
or the text
field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using armor()
will also result in a "sanitised" version, with the extraneous text being removed. This issue has been addressed in version 5.10.1 (current stable version) which will reject messages when calling openpgp.readCleartextMessage()
and in version 4.10.11 (legacy version) which will will reject messages when calling openpgp.cleartext.readArmored()
. Users are advised to upgrade. Users unable to upgrade should check the contents of verificationResult.data
to see what data was actually signed, rather than visually trusting the contents of the armored message.
Publish Date: 2023-08-29
URL: CVE-2023-41037
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-ch3c-v47x-4pgp
Release Date: 2023-08-29
Fix Resolution (openpgp): 5.10.1
Direct dependency fix Resolution (renovate): 35.60.0
βοΈ Automatic Remediation will be attempted for this issue.
βοΈAutomatic Remediation will be attempted for this issue.
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json5
Error type: Invalid JSON5 (parsing failed)
Message: JSON5.parse error: JSON5: invalid character '\"' at 22:7
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.