Giter Site home page Giter Site logo

pactflow / example-consumer Goto Github PK

View Code? Open in Web Editor NEW
25.0 25.0 490.0 2.34 MB

An example of a consumer that uses Pact+PactFlow to create a consumer driven contract with its provider

Home Page: https://pactflow.io

License: MIT License

Makefile 23.51% HTML 4.44% JavaScript 70.06% CSS 2.00%

example-consumer's People

Contributors

b3nnyl avatar bethesque avatar dependabot[bot] avatar mefellows avatar mend-for-github-com[bot] avatar timothyjones avatar tuan-pham avatar uglyog avatar you54f avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mefellows nathandeamer haylingsailor freddiecarre lorezzed andrealombardi dombarber stevenharperuk-throwaway liamraemclauchlan tinexw tkoerner anjagruss shilgam arindamdat riglesiasm mderhille mnaeem95 laurapauly conjordan 03ayush sairandhreeibm wapritchard lt-mayonesa adriendevillers jstoebel alecgerona dennisplaydon obinna240 rodolfouriel jsantodo liceur sarajcarbajal morvader alvarogonzalezcans gsancheznieto baezecillo wilkinsleung0712 whrostre raghanag dev2atwork saugoe12 tristanross danjordan guppy0356 eligizim paramadeep armen-ch tamipangadil fengguangke rafaelaazevedo gvaatstra ashieh gitakhan teacherspayteachers amitshokeen timothyjones matthewdy williaminfante beppa5027x mc-carthy mfreed-extensis aurelienlair ghdoergeloh selits amyliorate pbmiguel slavick jherfst bkir saurabhkjain arpitmodani bedla brumal matt-steward radekkoubsky darccide sepira olga-v-k dmtst55 damoco bangn anarcometin sgoag mdw87 rjauk thanhmmo19 azakrytnoi ups216 jaoualfr cmearl6 arthurgrig juliogft steve-p-allen dlukas1 thomjoy bethesque ben435 shaunreidkmart chetan-bb shop-ware

example-consumer's Issues

[BUG] Unable to setup front end for consumer due to js error

Issue: [BUG] Unable to setup front end for consumer due to js error

Steps to Repo

Clone repo to local and set up the consumer using npm install and npm start

Platform: Windows

User gets and error : Failed prop type: Invalid prop children of type array supplied to Layout, expected a single ReactElement type

CVE-2020-7788 (High) detected in ini-1.3.5.tgz - autoclosed

CVE-2020-7788 - High Severity Vulnerability

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • react-dev-utils-10.2.1.tgz
      • global-modules-2.0.0.tgz
        • global-prefix-3.0.0.tgz
          • ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz - autoclosed

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • swagger-mock-validator-10.0.0.tgz (Root Library)
    • request-2.88.2.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (swagger-mock-validator): 10.0.1

  • Check this box to open an automated fix PR

CVE-2021-27290 (High) detected in ssri-7.1.0.tgz, ssri-6.0.1.tgz - autoclosed

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Libraries - ssri-7.1.0.tgz, ssri-6.0.1.tgz

ssri-7.1.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssri/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • terser-webpack-plugin-2.3.8.tgz
      • cacache-13.0.1.tgz
        • ssri-7.1.0.tgz (Vulnerable Library)
ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack/node_modules/ssri/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-4.42.0.tgz
      • terser-webpack-plugin-1.4.5.tgz
        • cacache-12.0.4.tgz
          • ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 7.1.1

Direct dependency fix Resolution (react-scripts): 3.4.4

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-28092 (High) detected in is-svg-3.0.0.tgz - autoclosed

CVE-2021-28092 - High Severity Vulnerability

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.3.tgz
      • cssnano-4.1.10.tgz
        • cssnano-preset-default-4.0.7.tgz
          • postcss-svgo-4.0.2.tgz
            • is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution (is-svg): 4.2.2

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-33587 (High) detected in css-what-3.4.1.tgz - autoclosed

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.1.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-what/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-4.3.3.tgz
      • plugin-svgo-4.3.1.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • css-what-3.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (react-scripts): 5.0.1

  • Check this box to open an automated fix PR

CVE-2021-33502 (High) detected in normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz - autoclosed

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • mini-css-extract-plugin-0.9.0.tgz
      • normalize-url-1.9.1.tgz (Vulnerable Library)
normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss-normalize-url/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.3.tgz
      • cssnano-4.1.10.tgz
        • cssnano-preset-default-4.0.7.tgz
          • postcss-normalize-url-4.0.1.tgz
            • normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2022-1650 (High) detected in eventsource-1.0.7.tgz - autoclosed

CVE-2022-1650 - High Severity Vulnerability

Vulnerable Library - eventsource-1.0.7.tgz

W3C compliant EventSource client for Node.js and browser (polyfill)

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eventsource/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • sockjs-client-1.4.0.tgz
        • eventsource-1.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): 1.1.1

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2020-15256 (High) detected in object-path-0.11.4.tgz - autoclosed

CVE-2020-15256 - High Severity Vulnerability

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • resolve-url-loader-3.1.1.tgz
      • adjust-sourcemap-loader-2.0.0.tgz
        • object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-3757 (High) detected in immer-1.10.0.tgz - autoclosed

CVE-2021-3757 - High Severity Vulnerability

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • react-dev-utils-10.2.1.tgz
      • immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

For BYO Tool use case with Nock (record/replay example), user should be reminded to set PACT_PROVIDER env var

Env var not required for non BYO case, as it has a fallback.

Possibly add the fallback, or add into the instructions, reminder to set PACT_PROVIDER env var.

{"errors":{"contracts":["providerName is missing at index 0"]}}
make[1]: *** [publish_pacts] Error 1
make: *** [fake_ci_nock] Error 2

api.pact.spec.js
provider: process.env.PACT_PROVIDER ? process.env.PACT_PROVIDER : 'pactflow-example-provider',

api.record.spec.js
provider: { name: process.env.PACT_PROVIDER },

CVE-2021-23343 (High) detected in path-parse-1.0.6.tgz - autoclosed

CVE-2021-23343 - High Severity Vulnerability

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • resolve-1.15.0.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-3777 (High) detected in tmpl-1.0.4.tgz - autoclosed

CVE-2021-3777 - High Severity Vulnerability

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmpl/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • babel-jest-24.9.0.tgz
      • transform-24.9.0.tgz
        • jest-haste-map-24.9.0.tgz
          • walker-1.0.7.tgz
            • makeerror-1.0.11.tgz
              • tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

make test and make test_nock require REACT_APP_API_BASE_URL setting in .env

Should we add it into the .env / readme instructions or Makefile?

========== STAGE: test (nock) ==========

npm run test:nock

> [email protected] test:nock
> cross-env CI=true react-scripts test --testTimeout 30000 nock.spec.js

FAIL src/api.nock.spec.js
  ● Test suite failed to run

    TypeError: Cannot read properties of undefined (reading 'endsWith')

      10 |       url = process.env.REACT_APP_API_BASE_URL;
      11 |     }
    > 12 |     if (url.endsWith("/")) {
         |             ^
      13 |       url = url.substr(0, url.length - 1)
      14 |     }
      15 |     this.url = url

      at new API (src/api.js:12:13)
      at Object.<anonymous> (src/api.js:48:16)
      at Object.<anonymous> (src/api.nock.spec.js:1:1)

Test Suites: 1 failed, 1 total
Tests:       0 total
Snapshots:   0 total
Time:        1.346s
Ran all test suites matching /nock.spec.js/i.
make: *** [test_nock] Error 1

CVE-2021-23434 (High) detected in object-path-0.11.4.tgz - autoclosed

CVE-2021-23434 - High Severity Vulnerability

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • resolve-url-loader-3.1.1.tgz
      • adjust-sourcemap-loader-2.0.0.tgz
        • object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.

Publish Date: 2021-08-27

URL: CVE-2021-23434

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434

Release Date: 2021-08-27

Fix Resolution (object-path): 0.11.6

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-23382 (High) detected in postcss-7.0.35.tgz, postcss-7.0.21.tgz - autoclosed

CVE-2021-23382 - High Severity Vulnerability

Vulnerable Libraries - postcss-7.0.35.tgz, postcss-7.0.21.tgz

postcss-7.0.35.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • postcss-safe-parser-4.0.1.tgz
      • postcss-7.0.35.tgz (Vulnerable Library)
postcss-7.0.21.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/resolve-url-loader/node_modules/postcss/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • resolve-url-loader-3.1.1.tgz
      • postcss-7.0.21.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 3.4.4

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

WS-2021-0152 (High) detected in color-string-1.5.3.tgz - autoclosed

WS-2021-0152 - High Severity Vulnerability

Vulnerable Library - color-string-1.5.3.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.3.tgz
      • cssnano-4.1.10.tgz
        • cssnano-preset-default-4.0.7.tgz
          • postcss-colormin-4.0.3.tgz
            • color-3.1.2.tgz
              • color-string-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-3765 (High) detected in validator-13.5.2.tgz, validator-12.2.0.tgz - autoclosed

CVE-2021-3765 - High Severity Vulnerability

Vulnerable Libraries - validator-13.5.2.tgz, validator-12.2.0.tgz

validator-13.5.2.tgz

String validation and sanitization

Library home page: https://registry.npmjs.org/validator/-/validator-13.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/validator/package.json

Dependency Hierarchy:

  • swagger-mock-validator-10.0.0.tgz (Root Library)
    • validator-13.5.2.tgz (Vulnerable Library)
validator-12.2.0.tgz

String validation and sanitization

Library home page: https://registry.npmjs.org/validator/-/validator-12.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/z-schema/node_modules/validator/package.json

Dependency Hierarchy:

  • swagger-mock-validator-10.0.0.tgz (Root Library)
    • swagger-parser-10.0.2.tgz
      • swagger-parser-10.0.2.tgz
        • z-schema-4.2.3.tgz
          • validator-12.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

validator.js is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-11-02

URL: CVE-2021-3765

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qgmg-gppg-76g5

Release Date: 2021-11-02

Fix Resolution (validator): 13.7.0

Direct dependency fix Resolution (swagger-mock-validator): 10.0.1

Fix Resolution (validator): 13.7.0

Direct dependency fix Resolution (swagger-mock-validator): 10.0.1

  • Check this box to open an automated fix PR

CVE-2021-42740 (High) detected in shell-quote-1.7.2.tgz - autoclosed

CVE-2021-42740 - High Severity Vulnerability

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • react-dev-utils-10.2.1.tgz
      • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

WS-2020-0042 (High) detected in acorn-5.7.4.tgz - autoclosed

WS-2020-0042 - High Severity Vulnerability

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/acorn/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • jest-24.9.0.tgz
      • jest-cli-24.9.0.tgz
        • jest-config-24.9.0.tgz
          • jest-environment-jsdom-24.9.0.tgz
            • jsdom-11.12.0.tgz
              • acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

  • Check this box to open an automated fix PR

CVE-2019-20149 (High) detected in kind-of-6.0.2.tgz - autoclosed

CVE-2019-20149 - High Severity Vulnerability

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/base/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-4.42.0.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • define-property-1.0.0.tgz
              • is-descriptor-1.0.2.tgz
                • kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2020-28477 (High) detected in immer-1.10.0.tgz - autoclosed

CVE-2020-28477 - High Severity Vulnerability

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • react-dev-utils-10.2.1.tgz
      • immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (immer): 8.0.1

Direct dependency fix Resolution (react-scripts): 4.0.0

  • Check this box to open an automated fix PR

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json,/node_modules/svgo/node_modules/nth-check/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json,/node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • react-dev-utils-12.0.1.tgz
      • recursive-readdir-2.2.2.tgz
        • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

make fake_ci & make fake_ci_nock fails on can-i-deploy - `Environment with name 'production' does not exist`

make fake_ci & make fake_ci_nock fail on can-i-deploy - Environment with name 'production' does not exist

I assume this is expected, as we have no provider verification at this point. Might be worth mentioning in the docs?

========== STAGE: publish pacts ==========
Created pactflow-example-consumer version 4bd4730+1646229716 with tags March2022Update
  Next steps:
    Configure the version branch to be the value of your repository branch.
Pact successfully published for pactflow-example-consumer version 4bd4730+1646229716 and provider pactflow-example-provider-dredd.
  View the published pact at https://you54f.pactflow.io/pacts/provider/pactflow-example-provider-dredd/consumer/pactflow-example-consumer/version/4bd4730%2B1646229716
  Events detected: contract_published, contract_content_changed (first time any pact published for this consumer with consumer version tagged March2022Update)
  Next steps:
    * Add Pact verification tests to the pactflow-example-provider-dredd build. See https://docs.pact.io/go/provider_verification
    * Configure separate pactflow-example-provider-dredd pact verification build and webhook to trigger it when the pact content changes. See https://docs.pact.io/go/webhooks

========== STAGE: can-i-deploy? ==========

Environment with name 'production' does not exist
make[1]: *** [can_i_deploy] Error 1
make: *** [fake_ci_nock] Error 2

CVE-2022-24772 (High) detected in node-forge-0.10.0.tgz - autoclosed

CVE-2022-24772 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2021-29059 (High) detected in is-svg-3.0.0.tgz - autoclosed

CVE-2021-29059 - High Severity Vulnerability

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.3.tgz
      • cssnano-4.1.10.tgz
        • cssnano-preset-default-4.0.7.tgz
          • postcss-svgo-4.0.2.tgz
            • is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-21

Fix Resolution (is-svg): 4.3.0

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2022-0686 (High) detected in url-parse-1.4.7.tgz - autoclosed

CVE-2022-0686 - High Severity Vulnerability

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • sockjs-client-1.4.0.tgz
        • url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-3807 (High) detected in multiple libraries - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz, ansi-regex-4.1.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/string-length/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • jest-watch-typeahead-0.4.2.tgz
      • jest-watcher-24.9.0.tgz
        • string-length-2.0.0.tgz
          • strip-ansi-4.0.0.tgz
            • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/react-dev-utils/node_modules/strip-ansi/node_modules/ansi-regex/package.json,/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • eslint-6.8.0.tgz
      • inquirer-7.0.3.tgz
        • string-width-4.2.0.tgz
          • strip-ansi-6.0.0.tgz
            • ansi-regex-5.0.0.tgz (Vulnerable Library)
ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pretty-format/node_modules/ansi-regex/package.json,/node_modules/react-dev-utils/node_modules/ansi-regex/package.json,/node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • jest-24.9.0.tgz
      • jest-cli-24.9.0.tgz
        • jest-validate-24.9.0.tgz
          • pretty-format-24.9.0.tgz
            • ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (react-scripts): 3.4.4

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (react-scripts): 3.4.4

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2021-23436 (High) detected in immer-1.10.0.tgz - autoclosed

CVE-2021-23436 - High Severity Vulnerability

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • react-dev-utils-10.2.1.tgz
      • immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz - autoclosed

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • yargs-13.3.2.tgz
        • y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

Windows 10 - Not finding Pact Foundation "Matchers" module

Hello - running this in a Windows 10 environment with VS Code. When running "npm t", the Pact test is failing with this error - I've been looking for where to install this module from, but so far have not found it:

FAIL src/api.pact.spec.js
● Test suite failed to run

**Cannot find module '@pact-foundation/pact/dsl/matchers' from 'api.pact.spec.js'**  

  1 | import { Pact } from '@pact-foundation/pact';
  2 | import { API } from './api';
> 3 | import { eachLike, like, regex } from '@pact-foundation/pact/dsl/matchers';
    | ^
  4 | import { Product } from './product';
  5 | 
  6 | const mockProvider = new Pact({

  at Resolver.resolveModule (node_modules/jest-resolve/build/index.js:259:17)
  at Object.<anonymous> (src/api.pact.spec.js:3:1)

CVE-2021-43138 (High) detected in async-2.6.3.tgz - autoclosed

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • portfinder-1.0.28.tgz
        • async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2022-0691 (High) detected in url-parse-1.4.7.tgz - autoclosed

CVE-2022-0691 - High Severity Vulnerability

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • sockjs-client-1.4.0.tgz
        • url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2020-28469 (High) detected in glob-parent-5.1.0.tgz, glob-parent-3.1.0.tgz - autoclosed

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Libraries - glob-parent-5.1.0.tgz, glob-parent-3.1.0.tgz

glob-parent-5.1.0.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • eslint-6.8.0.tgz
      • glob-parent-5.1.0.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • chokidar-2.1.8.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2021-26707 (High) detected in merge-deep-3.0.2.tgz - autoclosed

CVE-2021-26707 - High Severity Vulnerability

Vulnerable Library - merge-deep-3.0.2.tgz

Recursively merge values in a javascript object.

Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/merge-deep/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-4.3.3.tgz
      • plugin-svgo-4.3.1.tgz
        • merge-deep-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Publish Date: 2021-06-02

URL: CVE-2021-26707

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259

Release Date: 2021-06-02

Fix Resolution (merge-deep): 3.0.3

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2021-3805 (High) detected in object-path-0.11.4.tgz - autoclosed

CVE-2021-3805 - High Severity Vulnerability

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • resolve-url-loader-3.1.1.tgz
      • adjust-sourcemap-loader-2.0.0.tgz
        • object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-17

URL: CVE-2021-3805

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/

Release Date: 2021-09-17

Fix Resolution (object-path): 0.11.8

Direct dependency fix Resolution (react-scripts): 3.4.4

  • Check this box to open an automated fix PR

CVE-2022-37601 (High) detected in loader-utils-1.2.3.tgz, loader-utils-1.4.0.tgz - autoclosed

CVE-2022-37601 - High Severity Vulnerability

Vulnerable Libraries - loader-utils-1.2.3.tgz, loader-utils-1.4.0.tgz

loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/node_modules/resolve-url-loader/node_modules/loader-utils/package.json,/node_modules/react-dev-utils/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • react-dev-utils-10.2.1.tgz
      • loader-utils-1.2.3.tgz (Vulnerable Library)
loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • css-loader-3.4.2.tgz
      • loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 2.0.0

Direct dependency fix Resolution (react-scripts): 5.0.1

Fix Resolution (loader-utils): 2.0.0

Direct dependency fix Resolution (react-scripts): 5.0.1

  • Check this box to open an automated fix PR

CVE-2022-37599 (High) detected in loader-utils-2.0.2.tgz

CVE-2022-37599 - High Severity Vulnerability

Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-5.0.1.tgz (Root Library)
    • file-loader-6.2.0.tgz
      • loader-utils-2.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-24771 (High) detected in node-forge-0.10.0.tgz - autoclosed

CVE-2022-24771 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2022-25858 (High) detected in terser-4.8.0.tgz - autoclosed

CVE-2022-25858 - High Severity Vulnerability

Vulnerable Library - terser-4.8.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • terser-webpack-plugin-2.3.8.tgz
      • terser-4.8.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 5.0.0-beta.0

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

CVE-2021-23807 (High) detected in jsonpointer-4.1.0.tgz - autoclosed

CVE-2021-23807 - High Severity Vulnerability

Vulnerable Library - jsonpointer-4.1.0.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer/package.json

Dependency Hierarchy:

  • swagger-mock-validator-10.0.0.tgz (Root Library)
    • jsonpointer-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

Publish Date: 2021-11-03

URL: CVE-2021-23807

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807

Release Date: 2021-11-03

Fix Resolution (jsonpointer): 5.0.0

Direct dependency fix Resolution (swagger-mock-validator): 10.1.2

  • Check this box to open an automated fix PR

CVE-2021-23424 (High) detected in ansi-html-0.0.7.tgz - autoclosed

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-html/package.json

Dependency Hierarchy:

  • react-scripts-3.4.3.tgz (Root Library)
    • webpack-dev-server-3.11.0.tgz
      • ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 3912fdf164197aec6dc6c42ef1edc2f39d68619f

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution (ansi-html): 0.0.8

Direct dependency fix Resolution (react-scripts): 5.0.0

  • Check this box to open an automated fix PR

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.