Giter Site home page Giter Site logo

logger-decorator's Introduction

💻 My Github account statistics:

github stats language stats

🏢 I'm currently working at the WebbyLab

📫 How to reach me:

logger-decorator's People

Contributors

dependabot[bot] avatar lalaps[bot] avatar lgtm-com[bot] avatar pustovitdmytro avatar renovate-bot avatar renovate[bot] avatar semantic-release-bot avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

fossabot hartl3y94 lgtm-migrator

logger-decorator's Issues

v.2.0 Plans

  • Fix typo dublicates => duplicates
  • drop node 10 support

CVE-2022-29244 (High) detected in npm-8.4.1.tgz - autoclosed

CVE-2022-29244 - High Severity Vulnerability

Vulnerable Library - npm-8.4.1.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-8.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

  • semantic-release-19.0.2.tgz (Root Library)
    • npm-9.0.0.tgz
      • npm-8.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Publish Date: 2022-06-13

URL: CVE-2022-29244

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-06-13

Fix Resolution (npm): 8.11.0

Direct dependency fix Resolution (semantic-release): 19.0.3

Step up your Open Source Security Game with Mend here

WS-2022-0239 (Medium) detected in parse-url-6.0.0.tgz - autoclosed

WS-2022-0239 - Medium Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0.
Through this vulnerability, an attacker is capable to execute malicious JS codes.

Publish Date: 2022-07-02

URL: WS-2022-0239

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e

Release Date: 2022-07-02

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-31051 (High) detected in semantic-release-19.0.2.tgz - autoclosed

CVE-2022-31051 - High Severity Vulnerability

Vulnerable Library - semantic-release-19.0.2.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-19.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/package.json

Dependency Hierarchy:

  • semantic-release-19.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.

Publish Date: 2022-06-09

URL: CVE-2022-31051

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x2pg-mjhr-2m5x

Release Date: 2022-06-09

Fix Resolution: 19.0.3

Step up your Open Source Security Game with Mend here

WS-2022-0237 (High) detected in parse-url-6.0.0.tgz - autoclosed

WS-2022-0237 - High Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url

Publish Date: 2022-07-04

URL: WS-2022-0237

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-04

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

Feature: Logging only errors

Allow to log errors only

  • Feature is backward compatible

API will follow next convention:

const decorator = new Decorator({
    logger,
    timestamp : true,
    errorsOnly: true
});

This should help in resolving some performance issues #45

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • cli-7.17.0.tgz (Root Library)
    • chokidar-3.5.3.tgz
      • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (@babel/cli): 7.17.3

Step up your Open Source Security Game with Mend here

CVE-2021-23490 (High) detected in parse-link-header-1.0.1.tgz - autoclosed

CVE-2021-23490 - High Severity Vulnerability

Vulnerable Library - parse-link-header-1.0.1.tgz

Parses a link header and returns paging information for each contained link.

Library home page: https://registry.npmjs.org/parse-link-header/-/parse-link-header-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-link-header/package.json

Dependency Hierarchy:

  • danger-10.6.6.tgz (Root Library)
    • parse-link-header-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.

Publish Date: 2021-12-24

URL: CVE-2021-23490

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23490

Release Date: 2021-12-24

Fix Resolution: parse-link-header - 2.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz - autoclosed

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • coveralls-3.1.1.tgz (Root Library)
    • request-2.88.2.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Step up your Open Source Security Game with WhiteSource here

Feature: Prevent multiple logs of same error

Is your feature request related to a problem? Please describe.
Prevent multiple logs of the same error

Describe the solution you'd like
API: something like:

{
    logErrors: 'top-only'
}

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore: update actions/setup-node action to v4

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

  • Chore: Update devDependencies (non-major) (@babel/cli, @babel/core, @babel/node, @babel/plugin-proposal-class-properties, @babel/plugin-proposal-decorators, @babel/plugin-proposal-object-rest-spread, @babel/plugin-proposal-optional-chaining, @babel/preset-env, @babel/runtime, @commitlint/cli, @commitlint/lint, @semantic-release/changelog, chai, chance, danger, eslint, eslint-config-incredible, eslint-plugin-censor, eslint-plugin-import, eslint-plugin-mocha, eslint-plugin-promise, eslint-plugin-regexp, eslint-plugin-security, eslint-plugin-sonarjs, fs-extra, jscpd, lockfile-lint, mocha, mocha-junit-reporter, node-package-tester)
  • Upgrade: Update dependency myrmidon to v1.8.1
  • Chore: Update devDependencies (non-major) (major) (@commitlint/cli, @commitlint/lint, babel-plugin-module-resolver, conventional-changelog-eslint, danger, eslint-plugin-markdown, eslint-plugin-regexp, eslint-plugin-unicorn, fs-extra, husky, mocha, semantic-release, uuid)
  • chore: update actions/checkout action to v4
  • Chore: Lock file maintenance
  • Click on this checkbox to rebase all open PRs at once

Detected dependencies

github-actions
.github/workflows/codeql.yml
  • actions/checkout v3
  • github/codeql-action v2
  • github/codeql-action v2
  • github/codeql-action v2
.github/workflows/npt.yml
  • actions/checkout v2
  • actions/setup-node v2
  • actions/setup-node v2
npm
package.json
  • myrmidon 1.7.2
  • @babel/cli ^7.16.8
  • @babel/core ^7.16.12
  • @babel/node ^7.16.8
  • @babel/plugin-proposal-class-properties ^7.16.7
  • @babel/plugin-proposal-decorators ^7.16.7
  • @babel/plugin-proposal-object-rest-spread ^7.16.7
  • @babel/plugin-proposal-optional-chaining ^7.16.7
  • @babel/polyfill ^7.12.1
  • @babel/preset-env ^7.16.11
  • @babel/runtime ^7.16.7
  • @commitlint/cli ^16.1.0
  • @commitlint/lint ^16.0.0
  • @semantic-release/changelog ^6.0.1
  • @semantic-release/git ^10.0.1
  • babel-plugin-module-resolver ^4.1.0
  • chai ^4.3.7
  • chance ^1.1.9
  • conventional-changelog-eslint ^3.0.9
  • coveralls ^3.1.1
  • danger ^10.8.0
  • eslint ^8.8.0
  • eslint-config-incredible ^2.4.0
  • eslint-plugin-censor ^1.5.2
  • eslint-plugin-import ^2.25.4
  • eslint-plugin-markdown ^2.2.1
  • eslint-plugin-mocha ^10.0.3
  • eslint-plugin-no-secrets ^0.8.9
  • eslint-plugin-node ^11.1.0
  • eslint-plugin-promise ^6.0.0
  • eslint-plugin-regexp ^1.5.1
  • eslint-plugin-scanjs-rules ^0.2.1
  • eslint-plugin-security ^1.4.0
  • eslint-plugin-sonarjs ^0.11.0
  • eslint-plugin-unicorn ^40.1.0
  • fs-extra ^10.0.0
  • husky ^7.0.4
  • jscpd ^3.4.5
  • lockfile-lint ^4.6.2
  • mocha ^9.2.0
  • mocha-junit-reporter ^2.0.2
  • node-package-tester ^1.1.28
  • nyc ^15.1.0
  • semantic-release ^19.0.5
  • semantic-release-telegram ^1.6.2
  • test-console ^2.0.0
  • uuid ^8.3.2
  • node >=10
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2022-0624 (High) detected in parse-path-4.0.3.tgz - autoclosed

CVE-2022-0624 - High Severity Vulnerability

Vulnerable Library - parse-path-4.0.3.tgz

Parse paths (local paths, urls: ssh/git/etc)

Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-path/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz
          • parse-path-4.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

Publish Date: 2022-06-28

URL: CVE-2022-0624

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624

Release Date: 2022-06-28

Fix Resolution: parse-path - 5.0.0

Step up your Open Source Security Game with Mend here

WS-2022-0238 (High) detected in parse-url-6.0.0.tgz - autoclosed

WS-2022-0238 - High Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.

Publish Date: 2022-06-30

URL: WS-2022-0238

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/

Release Date: 2022-06-30

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23807 (High) detected in jsonpointer-4.1.0.tgz - autoclosed

CVE-2021-23807 - High Severity Vulnerability

Vulnerable Library - jsonpointer-4.1.0.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonpointer/package.json

Dependency Hierarchy:

  • danger-10.6.6.tgz (Root Library)
    • jsonpointer-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

Publish Date: 2021-11-03

URL: CVE-2021-23807

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807

Release Date: 2021-11-03

Fix Resolution: jsonpointer - 5.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2022-2216 (High) detected in parse-url-6.0.0.tgz - autoclosed

CVE-2022-2216 - High Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2216

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-2217 (Medium) detected in parse-url-6.0.0.tgz - autoclosed

CVE-2022-2217 - Medium Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2217

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b/

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-43307 (High) detected in semver-regex-3.1.3.tgz - autoclosed

CVE-2021-43307 - High Severity Vulnerability

Vulnerable Library - semver-regex-3.1.3.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

  • semantic-release-19.0.2.tgz (Root Library)
    • find-versions-4.0.0.tgz
      • semver-regex-3.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution (semver-regex): 3.1.4

Direct dependency fix Resolution (semantic-release): 19.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-0722 (High) detected in parse-url-6.0.0.tgz - autoclosed

CVE-2022-0722 - High Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-0722

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-2218 (Medium) detected in parse-url-6.0.0.tgz - autoclosed

CVE-2022-2218 - Medium Severity Vulnerability

Vulnerable Library - parse-url-6.0.0.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • git-url-parse-11.6.0.tgz
      • git-up-4.0.5.tgz
        • parse-url-6.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2218

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5/

Release Date: 2022-06-27

Fix Resolution: parse-url - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-1214 (High) detected in axios-0.21.4.tgz - autoclosed

CVE-2022-1214 - High Severity Vulnerability

Vulnerable Library - axios-0.21.4.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • semantic-release-telegram-1.5.1.tgz (Root Library)
    • base-api-client-1.5.3.tgz
      • axios-0.21.4.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution: axios - v0.26.0

Step up your Open Source Security Game with WhiteSource here

v.1.0

  • default decorator out of the box
  • include/exclude methods in class
  • tracing support
  • allow to disable double logging
  • inspect depths and configuration
  • function decorator: config as second argument

CVE-2022-0235 (Medium) detected in node-fetch-2.6.1.tgz - autoclosed

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • danger-10.8.0.tgz (Root Library)
    • node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: e6d60e02478ae9edf53af928379f1a378559d64c

Found in base branch: master

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3807 (High) detected in ansi-regex-5.0.0.tgz, ansi-regex-3.0.0.tgz - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-5.0.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-19.0.2.tgz (Root Library)
    • npm-9.0.0.tgz
      • npm-8.4.1.tgz
        • cli-table3-0.6.1.tgz
          • string-width-4.2.2.tgz
            • strip-ansi-6.0.0.tgz
              • ansi-regex-5.0.0.tgz (Vulnerable Library)
ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-19.0.2.tgz (Root Library)
    • npm-9.0.0.tgz
      • npm-8.4.1.tgz
        • npmlog-6.0.0.tgz
          • gauge-4.0.0.tgz
            • wide-align-1.1.5.tgz
              • string-width-2.1.1.tgz
                • strip-ansi-4.0.0.tgz
                  • ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 809d80347ac56e09ea88b61bf099a476fb1e1dcc

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (semantic-release): 19.0.3

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (semantic-release): 19.0.3

Step up your Open Source Security Game with Mend here

Benchmarking the logger

Issue Description
Hi. I tried the decorator (Class Logger to be exact) but the thing we noticed was that our benchmarks deteriorated. http_req_duration went from 6ms to 35.15ms (a huge jump).

We are interested in intercepting only errors. So, we have a custom logger like this:

const logger = {
  info: function () {
    return;
  },
  verbose: function () {
    return;
  },
  error: console.error
};

import { Decorator } from 'logger-decorator';
export const log = new Decorator({
  name: 'myapp',
  logger: logger,
  timestamp: true
});

Where we log only errors. No other custom code has been used and we just decorate the classes with @log() but this still leads to a huge impact on the benchmark. Any ideas on how we can solve this? Thanks 🙂

Please follow the general troubleshooting steps first:

  • I've searched on the issue tracker before creating one.
  • I'm running the latest package version.
  • I'm ready to provide help with a fix if needed.

What do you expect to happen?

There is minimal impact to the benchmarks after adding the decorators.

What is actually happening?

Adding the decorator leads to a 29ms jump in the benchmarks.

Output here

Before

✓ no_errors
     ✓ expected_result

     checks.........................: 100.00% ✓ 92154      ✗ 0    
     data_received..................: 16 MB   266 kB/s
     data_sent......................: 22 MB   361 kB/s
     http_req_blocked...............: avg=2.4µs   min=1.19µs  med=2.06µs  max=236.84µs p(90)=3.33µs  p(95)=3.93µs 
     http_req_connecting............: avg=15ns    min=0s      med=0s      max=177.64µs p(90)=0s      p(95)=0s     
   ✓ http_req_duration..............: avg=6.35ms  min=1.22ms  med=4.55ms  max=212.13ms p(90)=9.54ms  p(95)=11.09ms
       { expected_response:true }...: avg=6.35ms  min=1.22ms  med=4.55ms  max=212.13ms p(90)=9.54ms  p(95)=11.09ms
     http_req_failed................: 0.00%   ✓ 0          ✗ 46077
     http_req_receiving.............: avg=46.83µs min=18.26µs med=44.07µs max=8.95ms   p(90)=58.28µs p(95)=64.29µs
     http_req_sending...............: avg=20.62µs min=8.65µs  med=19.18µs max=2.56ms   p(90)=29.51µs p(95)=32.91µs
     http_req_tls_handshaking.......: avg=0s      min=0s      med=0s      max=0s       p(90)=0s      p(95)=0s     
     http_req_waiting...............: avg=6.28ms  min=1.12ms  med=4.48ms  max=212.07ms p(90)=9.46ms  p(95)=11ms   
     http_reqs......................: 46077   767.837431/s
     iteration_duration.............: avg=6.5ms   min=1.41ms  med=4.69ms  max=212.27ms p(90)=9.7ms   p(95)=11.25ms
     iterations.....................: 46077   767.837431/s
     vus............................: 5       min=5        max=5  
     vus_max........................: 5       min=5        max=5

After

     ✓ no_errors
     ✓ expected_result

     checks.........................: 100.00% ✓ 17010      ✗ 0   
     data_received..................: 3.0 MB  49 kB/s
     data_sent......................: 4.0 MB  67 kB/s
     http_req_blocked...............: avg=2.54µs  min=1.19µs med=2.14µs  max=200.64µs p(90)=3.59µs  p(95)=4.16µs  
     http_req_connecting............: avg=83ns    min=0s     med=0s      max=158.51µs p(90)=0s      p(95)=0s      
   ✗ http_req_duration..............: avg=35.15ms min=6.56ms med=19.37ms max=294.24ms p(90)=64.41ms p(95)=111.89ms
       { expected_response:true }...: avg=35.15ms min=6.56ms med=19.37ms max=294.24ms p(90)=64.41ms p(95)=111.89ms
     http_req_failed................: 0.00%   ✓ 0          ✗ 8505
     http_req_receiving.............: avg=46.58µs min=18.3µs med=44.49µs max=265.25µs p(90)=63.11µs p(95)=70.55µs 
     http_req_sending...............: avg=20.69µs min=8.97µs med=19.59µs max=124.37µs p(90)=29.77µs p(95)=33.1µs  
     http_req_tls_handshaking.......: avg=0s      min=0s     med=0s      max=0s       p(90)=0s      p(95)=0s      
     http_req_waiting...............: avg=35.08ms min=6.48ms med=19.32ms max=294.15ms p(90)=64.33ms p(95)=111.81ms
     http_reqs......................: 8505    141.472685/s
     iteration_duration.............: avg=35.3ms  min=6.75ms med=19.52ms max=294.42ms p(90)=64.58ms p(95)=112.07ms
     iterations.....................: 8505    141.472685/s
     vus............................: 5       min=5        max=5 
     vus_max........................: 5       min=5        max=5

Environment:

  • Version: 1.4.1
  • Node.js version: v12.18.2
  • Operating System: ubuntu-1604:202104-01

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.