pactflow / example-consumer Goto Github PK
View Code? Open in Web Editor NEWAn example of a consumer that uses Pact+PactFlow to create a consumer driven contract with its provider
Home Page: https://pactflow.io
License: MIT License
An example of a consumer that uses Pact+PactFlow to create a consumer driven contract with its provider
Home Page: https://pactflow.io
License: MIT License
example-consumer/src/api.pact.spec.js
Line 45 in 07112a4
Hello, I wonder when this return function will be execute and how to configure this mockserver paramter passed in this callback function.
Issue: [BUG] Unable to setup front end for consumer due to js error
Steps to Repo
Clone repo to local and set up the consumer using npm install and npm start
Platform: Windows
User gets and error : Failed prop type: Invalid prop children
of type array
supplied to Layout
, expected a single ReactElement type
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ini/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (react-scripts): 3.4.4
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (swagger-mock-validator): 10.0.1
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json
Dependency Hierarchy:
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack/node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 7.1.1
Direct dependency fix Resolution (react-scripts): 3.4.4
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (react-scripts): 3.4.4
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (react-scripts): 3.4.4
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (react-scripts): 5.0.1
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-normalize-url/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (react-scripts): 5.0.0
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (react-scripts): 5.0.0
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (react-scripts): 3.4.4
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (react-scripts): 3.4.4
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (react-scripts): 5.0.0
Update to
"@pact-foundation/pact": "^9.17.2",
"@pact-foundation/pact-node": "^10.17.1",```
Env var not required for non BYO case, as it has a fallback.
Possibly add the fallback, or add into the instructions, reminder to set PACT_PROVIDER env var.
{"errors":{"contracts":["providerName is missing at index 0"]}}
make[1]: *** [publish_pacts] Error 1
make: *** [fake_ci_nock] Error 2
api.pact.spec.js
provider: process.env.PACT_PROVIDER ? process.env.PACT_PROVIDER : 'pactflow-example-provider',
api.record.spec.js
provider: { name: process.env.PACT_PROVIDER },
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (react-scripts): 3.4.4
JavaScript micro templates.
Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tmpl/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3777
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (tmpl): 1.0.5
Direct dependency fix Resolution (react-scripts): 3.4.4
Should we add it into the .env
/ readme instructions or Makefile
?
========== STAGE: test (nock) ==========
npm run test:nock
> [email protected] test:nock
> cross-env CI=true react-scripts test --testTimeout 30000 nock.spec.js
FAIL src/api.nock.spec.js
● Test suite failed to run
TypeError: Cannot read properties of undefined (reading 'endsWith')
10 | url = process.env.REACT_APP_API_BASE_URL;
11 | }
> 12 | if (url.endsWith("/")) {
| ^
13 | url = url.substr(0, url.length - 1)
14 | }
15 | this.url = url
at new API (src/api.js:12:13)
at Object.<anonymous> (src/api.js:48:16)
at Object.<anonymous> (src/api.nock.spec.js:1:1)
Test Suites: 1 failed, 1 total
Tests: 0 total
Snapshots: 0 total
Time: 1.346s
Ran all test suites matching /nock.spec.js/i.
make: *** [test_nock] Error 1
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (react-scripts): 3.4.4
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/resolve-url-loader/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (react-scripts): 3.4.4
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (react-scripts): 3.4.4
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (react-scripts): 3.4.4
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/validator/package.json
Dependency Hierarchy:
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-12.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/z-schema/node_modules/validator/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
validator.js is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-11-02
URL: CVE-2021-3765
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qgmg-gppg-76g5
Release Date: 2021-11-02
Fix Resolution (validator): 13.7.0
Direct dependency fix Resolution (swagger-mock-validator): 10.0.1
Fix Resolution (validator): 13.7.0
Direct dependency fix Resolution (swagger-mock-validator): 10.0.1
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Hi,
I found that I am unable to continue with CICD workshop when I have source code in working directory is too long. See pact-foundation/pact-js-core#100 . Workaround is to clone it into short directory eg c:/a/example-consumer.
Ivos
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsdom/node_modules/acorn/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/base/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2020-08-24
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (react-scripts): 3.4.4
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects all versions of package immer.
Publish Date: 2021-01-19
URL: CVE-2020-28477
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-01-19
Fix Resolution (immer): 8.0.1
Direct dependency fix Resolution (react-scripts): 4.0.0
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json,/node_modules/svgo/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json,/node_modules/recursive-readdir/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
make fake_ci
& make fake_ci_nock
fail on can-i-deploy - Environment with name 'production' does not exist
I assume this is expected, as we have no provider verification at this point. Might be worth mentioning in the docs?
========== STAGE: publish pacts ==========
Created pactflow-example-consumer version 4bd4730+1646229716 with tags March2022Update
Next steps:
Configure the version branch to be the value of your repository branch.
Pact successfully published for pactflow-example-consumer version 4bd4730+1646229716 and provider pactflow-example-provider-dredd.
View the published pact at https://you54f.pactflow.io/pacts/provider/pactflow-example-provider-dredd/consumer/pactflow-example-consumer/version/4bd4730%2B1646229716
Events detected: contract_published, contract_content_changed (first time any pact published for this consumer with consumer version tagged March2022Update)
Next steps:
* Add Pact verification tests to the pactflow-example-provider-dredd build. See https://docs.pact.io/go/provider_verification
* Configure separate pactflow-example-provider-dredd pact verification build and webhook to trigger it when the pact content changes. See https://docs.pact.io/go/webhooks
========== STAGE: can-i-deploy? ==========
Environment with name 'production' does not exist
make[1]: *** [can_i_deploy] Error 1
make: *** [fake_ci_nock] Error 2
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (react-scripts): 5.0.0
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (react-scripts): 3.4.4
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (react-scripts): 3.4.4
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/string-length/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/react-dev-utils/node_modules/strip-ansi/node_modules/ansi-regex/package.json,/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pretty-format/node_modules/ansi-regex/package.json,/node_modules/react-dev-utils/node_modules/ansi-regex/package.json,/node_modules/strip-ansi/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (react-scripts): 3.4.4
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (react-scripts): 3.4.4
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (react-scripts): 5.0.0
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Publish Date: 2021-09-01
URL: CVE-2021-23436
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436
Release Date: 2021-09-01
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (react-scripts): 5.0.0
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (react-scripts): 3.4.4
Hello - running this in a Windows 10 environment with VS Code. When running "npm t", the Pact test is failing with this error - I've been looking for where to install this module from, but so far have not found it:
FAIL src/api.pact.spec.js
● Test suite failed to run
**Cannot find module '@pact-foundation/pact/dsl/matchers' from 'api.pact.spec.js'**
1 | import { Pact } from '@pact-foundation/pact';
2 | import { API } from './api';
> 3 | import { eachLike, like, regex } from '@pact-foundation/pact/dsl/matchers';
| ^
4 | import { Product } from './product';
5 |
6 | const mockProvider = new Pact({
at Resolver.resolveModule (node_modules/jest-resolve/build/index.js:259:17)
at Object.<anonymous> (src/api.pact.spec.js:3:1)
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (react-scripts): 3.4.4
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 3.4.4
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (react-scripts): 5.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (react-scripts): 5.0.0
Recursively merge values in a javascript object.
Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/merge-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
Publish Date: 2021-06-02
URL: CVE-2021-26707
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259
Release Date: 2021-06-02
Fix Resolution (merge-deep): 3.0.3
Direct dependency fix Resolution (react-scripts): 3.4.4
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (react-scripts): 3.4.4
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/node_modules/react-dev-utils/node_modules/loader-utils/package.json
Dependency Hierarchy:
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution (loader-utils): 2.0.0
Direct dependency fix Resolution (react-scripts): 5.0.1
Fix Resolution (loader-utils): 2.0.0
Direct dependency fix Resolution (react-scripts): 5.0.1
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
Base Score Metrics:
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (react-scripts): 5.0.0
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.0.0-beta.0
Direct dependency fix Resolution (react-scripts): 5.0.0
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsonpointer/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (swagger-mock-validator): 10.1.2
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Dependency Hierarchy:
Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f
Found in base branch: master
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (react-scripts): 5.0.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.