Giter Site home page Giter Site logo

launtel's Introduction

Launtel

launtel's People

Contributors

mause avatar dependabot[bot] avatar kodiakhq[bot] avatar pre-commit-ci[bot] avatar renovate-bot avatar renovate[bot] avatar mend-bolt-for-github[bot] avatar

Watchers

James Cloos avatar avatar avatar

launtel's Issues

tabletojson-2.0.7.tgz: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - tabletojson-2.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-33987 Medium 5.3 got-11.8.2.tgz Transitive N/A

Details

CVE-2022-33987

Vulnerable Library - got-11.8.2.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

  • tabletojson-2.0.7.tgz (Root Library)
    • got-11.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Step up your Open Source Security Game with Mend here

bunyan-1.8.15.tgz: 3 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - bunyan-1.8.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-31129 High 7.5 moment-2.29.1.tgz Transitive N/A
CVE-2022-24785 High 7.5 moment-2.29.1.tgz Transitive N/A
CVE-2021-44906 Medium 5.0 minimist-1.2.5.tgz Transitive N/A

Details

CVE-2022-31129

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

  • bunyan-1.8.15.tgz (Root Library)
    • moment-2.29.1.tgz (Vulnerable Library)

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Found in base branch: main

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

Step up your Open Source Security Game with Mend here

CVE-2022-24785

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

  • bunyan-1.8.15.tgz (Root Library)
    • moment-2.29.1.tgz (Vulnerable Library)

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Found in base branch: main

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution: moment - 2.29.2,Moment.js - 2.29.2

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • bunyan-1.8.15.tgz (Root Library)
    • mv-2.1.1.tgz
      • mkdirp-0.5.5.tgz
        • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Step up your Open Source Security Game with Mend here

vercel-jwt-auth-1.1.9.tgz: 1 vulnerabilities (highest severity is: 7.8)

Vulnerable Library - vercel-jwt-auth-1.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-43138 High 7.8 async-1.5.2.tgz Transitive 1.1.10

Details

CVE-2021-43138

Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

  • vercel-jwt-auth-1.1.9.tgz (Root Library)
    • express-jwt-6.1.0.tgz
      • async-1.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (vercel-jwt-auth): 1.1.10

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore(deps): update actions/upload-artifact action to v4
  • chore(deps): update dependency @types/jsonwebtoken to v9
  • chore(deps): update dependency @types/node to v20
  • fix(deps): update dependency @vercel/node to v3
  • fix(deps): update dependency axios-cookiejar-support to v5
  • fix(deps): update dependency tabletojson to v4
  • fix(deps): update dependency typescript to v5
  • 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/typecheck.yml
  • actions/checkout v2
  • actions/setup-node v2.5.1
  • andoshin11/typescript-error-reporter-action v1.0.2
  • actions/upload-artifact v2
.github/workflows/validate-openapi.yaml
  • actions/checkout v2
  • char0n/swagger-editor-validate v1.3.0
npm
package.json
  • @js-joda/core ^5.2.0
  • @logtail/bunyan ^0.1.10
  • @logtail/node ^0.1.10
  • @types/bunyan ^1.8.8
  • @vercel/node ^2.0.0
  • axios ^0.22.0
  • axios-cookiejar-support ^1.0.1
  • bunyan ^1.8.15
  • class-validator ^0.13.2
  • joi ^17.6.0
  • lodash ^4.17.21
  • tabletojson ^2.0.7
  • tough-cookie ^4.0.0
  • typescript ^4.5.4
  • vercel-jwt-auth ^1.1.9
  • @types/jest ^27.4.0
  • @types/jsonwebtoken ^8.5.8
  • @types/lodash ^4.14.178
  • @types/moxios ^0.4.12
  • @types/node ^16
  • @types/test-listen ^1.1.0
  • @types/tough-cookie ^4.0.1
  • dotenv ^16.0.0
  • jest ^27.2.4
  • moxios ^0.4.0
  • test-listen ^1.1.0
  • ts-jest ^27
  • vercel-node-server ^2.2.1
  • vercel-openapi ^0.1.13
  • Check this box to trigger a request for Renovate to run again on this repository

node-2.2.0.tgz: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - node-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-0235 Medium 6.1 node-fetch-2.6.1.tgz Transitive N/A

Details

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • node-2.2.0.tgz (Root Library)
    • node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 0503d7c9c4cecacc2458f017cfc0afaea6e811be

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.