takescoop / publish-terraform-cloud-module-action Goto Github PK
View Code? Open in Web Editor NEWA Github action to publish Terraform modules to a Terraform Cloud registry
License: MIT License
A Github action to publish Terraform modules to a Terraform Cloud registry
License: MIT License
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/table/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/table/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution: lodash-4.17.21
Step up your Open Source Security Game with WhiteSource here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (axios version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3749 | High | 7.5 | axios-0.21.1.tgz | Direct | 0.21.2 | ❌ |
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: main
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution: 0.21.2
Step up your Open Source Security Game with Mend here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
Step up your Open Source Security Game with WhiteSource here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution: path-parse - 1.0.7
Step up your Open Source Security Game with WhiteSource here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution: hosted-git-info - 2.8.9,3.0.8
Step up your Open Source Security Game with WhiteSource here
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Release Date: 2020-07-15
Fix Resolution: ajv - 6.12.3
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (jest version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-23440 | High | 9.8 | set-value-2.0.1.tgz | Transitive | 27.0.0 | ❌ |
CVE-2020-7774 | High | 9.8 | y18n-4.0.0.tgz | Transitive | 27.0.0 | ❌ |
CVE-2022-46175 | High | 8.8 | json5-2.1.3.tgz | Transitive | 27.0.0 | ❌ |
CVE-2022-38900 | High | 7.5 | decode-uri-component-0.2.0.tgz | Transitive | 27.0.0 | ❌ |
CVE-2023-28155 | Medium | 5.5 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
CVE-2021-32640 | Medium | 5.3 | ws-7.4.2.tgz | Transitive | 27.0.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
Found in base branch: main
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-09-12
Fix Resolution (set-value): 4.0.1
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/y18n/package.json
Dependency Hierarchy:
Found in base branch: main
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/istanbul-lib-instrument/node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
Found in base branch: main
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
Found in base branch: main
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ws/package.json
Dependency Hierarchy:
Found in base branch: main
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (jest): 27.0.0
Step up your Open Source Security Game with Mend here
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (eslint version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-28469 | High | 7.5 | glob-parent-5.1.1.tgz | Transitive | 7.18.0 | ❌ |
CVE-2022-3517 | High | 7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
CVE-2021-23337 | High | 7.2 | detected in multiple dependencies | Transitive | 7.18.0 | ❌ |
CVE-2020-15366 | Medium | 5.6 | ajv-6.10.2.tgz | Transitive | 7.18.0 | ❌ |
CVE-2020-28500 | Medium | 5.3 | detected in multiple dependencies | Transitive | 7.18.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: main
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (eslint): 7.18.0
Step up your Open Source Security Game with Mend here
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: main
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/table/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: main
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 7.18.0
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 7.18.0
Step up your Open Source Security Game with Mend here
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 7.18.0
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/table/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: main
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 7.18.0
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 7.18.0
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@types/jest
, jest
, jest-circus
)@types/jest
, jest
, jest-circus
, ts-jest
).github/workflows/test.yml
actions/checkout v3
.github/workflows/update-dist.yml
actions/checkout v3
stefanzweifel/git-auto-commit-action v4
.github/workflows/update-semver.yml
actions/checkout v3
haya14busa/action-update-semver v1
package.json
@actions/core ^1.4.0
axios ^0.27.0
@types/jest 27.5.0
@types/node 16.11.33
@typescript-eslint/parser 5.23.0
@vercel/ncc 0.33.4
eslint 8.15.0
eslint-plugin-github 4.3.6
eslint-plugin-jest 26.1.5
jest 28.1.0
jest-circus 28.1.0
js-yaml 4.1.0
nock 13.2.4
prettier 2.6.2
ts-jest 28.0.2
typescript 4.6.4
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (ts-jest version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-46175 | High | 8.8 | json5-2.1.1.tgz | Transitive | 26.5.0 | ❌ |
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (ts-jest): 26.5.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (eslint-plugin-github version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-46175 | High | 8.8 | json5-1.0.1.tgz | Transitive | 4.1.2 | ❌ |
CVE-2021-23343 | High | 7.5 | path-parse-1.0.6.tgz | Transitive | 4.1.2 | ❌ |
CVE-2021-23362 | Medium | 5.3 | hosted-git-info-2.8.5.tgz | Transitive | 4.1.2 | ❌ |
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tsconfig-paths/node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: main
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (eslint-plugin-github): 4.1.2
Step up your Open Source Security Game with Mend here
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
Found in base branch: main
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (eslint-plugin-github): 4.1.2
Step up your Open Source Security Game with Mend here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in base branch: main
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (eslint-plugin-github): 4.1.2
Step up your Open Source Security Game with Mend here
Actions core lib
Library home page: https://registry.npmjs.org/@actions/core/-/core-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@actions/core/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (core version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-35954 | Medium | 5.0 | core-1.4.0.tgz | Direct | 1.9.1 | ❌ |
Actions core lib
Library home page: https://registry.npmjs.org/@actions/core/-/core-1.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@actions/core/package.json
Dependency Hierarchy:
Found in base branch: main
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable
function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV
file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1
. If you are unable to upgrade the @actions/core
package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_
before calling core.exportVariable
.
Publish Date: 2022-08-15
URL: CVE-2022-35954
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954
Release Date: 2022-08-15
Fix Resolution: 1.9.1
Step up your Open Source Security Game with Mend here
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.2.tgz
Path to dependency file: publish-terraform-cloud-module-action/package.json
Path to vulnerable library: publish-terraform-cloud-module-action/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: a7d3cd4c20716dda5b41be22e71d107f7fcb50e4
Found in base branch: main
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution: ws - 7.4.6
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.