Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix 9 npm dependencies #41

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix 9 npm dependencies #41

wants to merge 1 commit into from

Conversation

atomist[bot]
Copy link

@atomist atomist bot commented Mar 1, 2022
edited
Loading

This pull request fixes 2 critical and 1 high security vulnerabilities open on 54d105f but 8 high and 4 moderate vulnerabilities remain open and need manual review.

npm audit fix updated the following npm dependencies:

Fixed vulnerabilities

Following security vulnerabilities are fixed:

minimist

Prototype Pollution in minimist Upgrade to version 1.2.6 or later
critical · <1.2.6 · CVE-2021-44906 · automatic fix available

[email protected] · 4 vulnerable paths
  • portfinder > mkdirp > minimist
  • superstatic > update-notifier > latest-version > package-json > registry-auth-token > rc > minimist
  • unzipper > fstream > mkdirp > minimist
  • update-notifier > latest-version > package-json > registry-auth-token > rc > minimist

    • vm2

    Sandbox bypass in vm2 Upgrade to version 3.9.6 or later
    critical · <3.9.6 · CVE-2021-23555 · automatic fix available

    [email protected] · 1 vulnerable path
  • proxy-agent > pac-proxy-agent > pac-resolver > degenerator > vm2

    • async

    Prototype Pollution in async Upgrade to version 3.2.2 or later
    high · >=3.0.0 <3.2.2 · CVE-2021-43138 · automatic fix available

    [email protected] · 1 vulnerable path
  • archiver > async

    • node-fetch

    node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Upgrade to version 2.6.7 or later
    high · <2.6.7 · CVE-2022-0235 · automatic fix available

    [email protected] · 5 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gaxios > node-fetch
  • @google-cloud/pubsub > google-auth-library > gcp-metadata > gaxios > node-fetch
  • @google-cloud/pubsub > google-gax > google-auth-library > gcp-metadata > gaxios > node-fetch
  • google-auth-library > gaxios > node-fetch
  • node-fetch

    • node-forge

    Improper Verification of Cryptographic Signature in node-forge Upgrade to version 1.3.0 or later
    high · <1.3.0 · CVE-2022-24772 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
  • @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
  • google-auth-library > gtoken > google-p12-pem > node-forge

    • Improper Verification of Cryptographic Signature in node-forge Upgrade to version 1.3.0 or later
    high · <1.3.0 · CVE-2022-24771 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
  • @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
  • google-auth-library > gtoken > google-p12-pem > node-forge

    • Improper Verification of Cryptographic Signature in node-forge Upgrade to version 1.3.0 or later
    moderate · <1.3.0 · CVE-2022-24773 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
  • @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
  • google-auth-library > gtoken > google-p12-pem > node-forge

    • tar

    Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning Upgrade to version 6.1.2 or later
    high · >=6.0.0 <6.1.2 · CVE-2021-32803 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization Upgrade to version 6.1.1 or later
    high · >=6.0.0 <6.1.1 · CVE-2021-32804 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to version 6.1.7 or later
    high · >=6.0.0 <6.1.7 · CVE-2021-37701 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization Upgrade to version 6.1.9 or later
    high · >=6.0.0 <6.1.9 · CVE-2021-37713 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to version 6.1.9 or later
    high · >=6.0.0 <6.1.9 · CVE-2021-37712 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • ansi-regex

    Inefficient Regular Expression Complexity in chalk/ansi-regex Upgrade to version 3.0.1 or later
    moderate · >=3.0.0 <3.0.1 · CVE-2021-3807 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > npmlog > gauge > wide-align > string-width > strip-ansi > ansi-regex

    • Inefficient Regular Expression Complexity in chalk/ansi-regex Upgrade to version 5.0.1 or later
    moderate · >=5.0.0 <5.0.1 · CVE-2021-3807 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-gax > @grpc/grpc-js > @grpc/proto-loader > yargs > cliui > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > strip-ansi > ansi-regex
    • [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-gax > @grpc/grpc-js > @grpc/proto-loader > yargs > cliui > wrap-ansi > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > wrap-ansi > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > wrap-ansi > strip-ansi > ansi-regex
    • [email protected] · 2 vulnerable paths
  • @google-cloud/pubsub > google-gax > @grpc/grpc-js > @grpc/proto-loader > yargs > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > string-width > strip-ansi > ansi-regex
    • [email protected] · 1 vulnerable path
  • superstatic > update-notifier > boxen > string-width > strip-ansi > ansi-regex
    • [email protected] · 2 vulnerable paths
  • superstatic > update-notifier > boxen > widest-line > string-width > strip-ansi > ansi-regex
  • update-notifier > boxen > widest-line > string-width > strip-ansi > ansi-regex
    • [email protected] · 2 vulnerable paths
  • update-notifier > boxen > string-width > strip-ansi > ansi-regex
  • update-notifier > boxen > wrap-ansi > string-width > strip-ansi > ansi-regex

    • ajv

    Prototype Pollution in Ajv Upgrade to version 6.12.3 or later
    moderate · <6.12.3 · CVE-2020-15366 · automatic fix available

    [email protected] · 3 vulnerable paths
  • request > har-validator > ajv
  • superstatic > re2 > node-gyp > request > har-validator > ajv
  • universal-analytics > request > har-validator > ajv

    • Open vulnerabilities

    Following security vulnerabilities remain open and need manual review:

    async

    Prototype Pollution in async Upgrade to version 2.6.4 or later
    high · <2.6.4 · CVE-2021-43138 · automatic fix available

    [email protected] · 1 vulnerable path
  • portfinder > async
    • [email protected] · 1 vulnerable path
  • superstatic > nash > async

    • node-forge

    Improper Verification of Cryptographic Signature in node-forge Upgrade to version 1.3.0 or later
    high · <1.3.0 · CVE-2022-24772 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
  • @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
  • google-auth-library > gtoken > google-p12-pem > node-forge

    • Improper Verification of Cryptographic Signature in node-forge Upgrade to version 1.3.0 or later
    high · <1.3.0 · CVE-2022-24771 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
  • @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
  • google-auth-library > gtoken > google-p12-pem > node-forge

    • Improper Verification of Cryptographic Signature in node-forge Upgrade to version 1.3.0 or later
    moderate · <1.3.0 · CVE-2022-24773 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
  • @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
  • google-auth-library > gtoken > google-p12-pem > node-forge

    • tar

    Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning Upgrade to version 6.1.2 or later
    high · >=6.0.0 <6.1.2 · CVE-2021-32803 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization Upgrade to version 6.1.1 or later
    high · >=6.0.0 <6.1.1 · CVE-2021-32804 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to version 6.1.7 or later
    high · >=6.0.0 <6.1.7 · CVE-2021-37701 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization Upgrade to version 6.1.9 or later
    high · >=6.0.0 <6.1.9 · CVE-2021-37713 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to version 6.1.9 or later
    high · >=6.0.0 <6.1.9 · CVE-2021-37712 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > tar

    • ansi-regex

    Inefficient Regular Expression Complexity in chalk/ansi-regex Upgrade to version 3.0.1 or later
    moderate · >=3.0.0 <3.0.1 · CVE-2021-3807 · automatic fix available

    [email protected] · 1 vulnerable path
  • superstatic > re2 > node-gyp > npmlog > gauge > wide-align > string-width > strip-ansi > ansi-regex

    • Inefficient Regular Expression Complexity in chalk/ansi-regex Upgrade to version 5.0.1 or later
    moderate · >=5.0.0 <5.0.1 · CVE-2021-3807 · automatic fix available

    [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-gax > @grpc/grpc-js > @grpc/proto-loader > yargs > cliui > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > strip-ansi > ansi-regex
    • [email protected] · 3 vulnerable paths
  • @google-cloud/pubsub > google-gax > @grpc/grpc-js > @grpc/proto-loader > yargs > cliui > wrap-ansi > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > wrap-ansi > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > cliui > wrap-ansi > strip-ansi > ansi-regex
    • [email protected] · 2 vulnerable paths
  • @google-cloud/pubsub > google-gax > @grpc/grpc-js > @grpc/proto-loader > yargs > string-width > strip-ansi > ansi-regex
  • @google-cloud/pubsub > google-gax > @grpc/proto-loader > yargs > string-width > strip-ansi > ansi-regex
    • [email protected] · 1 vulnerable path
  • superstatic > update-notifier > boxen > string-width > strip-ansi > ansi-regex
    • [email protected] · 2 vulnerable paths
  • superstatic > update-notifier > boxen > widest-line > string-width > strip-ansi > ansi-regex
  • update-notifier > boxen > widest-line > string-width > strip-ansi > ansi-regex
    • [email protected] · 2 vulnerable paths
  • update-notifier > boxen > string-width > strip-ansi > ansi-regex
  • update-notifier > boxen > wrap-ansi > string-width > strip-ansi > ansi-regex

    • ajv

    Prototype Pollution in Ajv Upgrade to version 6.12.3 or later
    moderate · <6.12.3 · CVE-2020-15366 · automatic fix available

    [email protected] · 2 vulnerable paths
  • request > har-validator > ajv
  • superstatic > re2 > node-gyp > request > har-validator > ajv

    • Files changed:

    atomist/npm-vulnerability-scanner-skill · Configure

    @atomist atomist bot added auto-branch-delete:on-close Delete branch when pull request gets closed auto-merge-method:merge Auto-merge with merge commit auto-merge:on-bpr-success Auto-merge on passed branch protection rule labels Mar 1, 2022
    @atomist atomist bot changed the title Fix 11 npm dependencies Fix 17 npm dependencies Mar 1, 2022
    @atomist atomist bot force-pushed the atomist/npm-audit-main branch from 8d7770d to d2ab04a Compare March 1, 2022 09:09
    @atomist atomist bot changed the title Fix 17 npm dependencies Fix 11 npm dependencies Mar 1, 2022
    @atomist atomist bot force-pushed the atomist/npm-audit-main branch from d2ab04a to 8cf084b Compare March 1, 2022 09:09
    @atomist atomist bot changed the title Fix 11 npm dependencies Fix 6 npm dependencies Mar 1, 2022
    @atomist atomist bot force-pushed the atomist/npm-audit-main branch from 8cf084b to 11698ec Compare March 1, 2022 09:15
    @atomist atomist bot force-pushed the atomist/npm-audit-main branch from 62333fa to 41bf286 Compare March 17, 2022 22:09
    @atomist atomist bot changed the title Fix 6 npm dependencies Fix 7 npm dependencies Mar 22, 2022
    @atomist atomist bot changed the title Fix 7 npm dependencies Fix 8 npm dependencies Mar 23, 2022
    @atomist atomist bot force-pushed the atomist/npm-audit-main branch from 41bf286 to 3e0bf7a Compare March 23, 2022 23:03
    @atomist-bot @snyk-bot
    Fix 9 npm dependencies
    667c6ca 
    npm audit fix updated the following npm dependencies:

 * ansi-regex > 5.0.1
 * async > 3.2.3
 * minimist > 1.2.6
 * node-fetch > 2.6.7
 * node-forge > 1.3.1
 * re2 > 1.17.4
 * tar > 6.1.11
 * universal-analytics > 0.5.3
 * vm2 > 3.9.9

[atomist:generated]
[atomist-skill:atomist/npm-vulnerability-scanner-skill]
    @atomist atomist bot changed the title Fix 8 npm dependencies Fix 9 npm dependencies Apr 13, 2022
    @atomist atomist bot force-pushed the atomist/npm-audit-main branch from 3e0bf7a to 667c6ca Compare April 13, 2022 11:07
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers
    No reviews
    Assignees
    No one assigned
    Labels
    auto-branch-delete:on-close Delete branch when pull request gets closed auto-merge:on-bpr-success Auto-merge on passed branch protection rule auto-merge-method:merge Auto-merge with merge commit
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    1 participant
    @atomist-bot