UNPKG

yarn-audit-html

Version:

Generate a HTML report for Yarn Audit

davityavryan/yarn-audit-html

2 lines (1 loc) 15.4 kB
1
2
{"actions":[],"advisories":{"1088666":{"findings":[{"version":"2.6.3","paths":["async"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <2.6.4","module_name":"async","severity":"high","github_advisory_id":"GHSA-fwr7-v2mv-hh25","cves":["CVE-2021-43138"],"access":"public","patched_versions":">=2.6.4","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-01-23T18:54:20.000Z","recommendation":"Upgrade to version 2.6.4 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1088666,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-43138\n- https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\n- https://github.com/caolan/async/blob/master/lib/internal/iterator.js\n- https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\n- https://jsfiddle.net/oz5twjd9/\n- https://github.com/caolan/async/pull/1828\n- https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2\n- https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\n- https://github.com/caolan/async/compare/v2.6.3...v2.6.4\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/\n- https://github.com/advisories/GHSA-fwr7-v2mv-hh25","created":"2022-04-07T00:00:17.000Z","reported_by":null,"title":"Prototype Pollution in async","npm_advisory_id":null,"overview":"A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.","url":"https://github.com/advisories/GHSA-fwr7-v2mv-hh25"},"1089058":{"findings":[{"version":"4.17.15","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-27T05:07:54.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089058,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1089198":{"findings":[{"version":"2.177.0","paths":["aws-sdk"]}],"metadata":null,"vulnerable_versions":"<2.814.0","module_name":"aws-sdk","severity":"high","github_advisory_id":"GHSA-rrc9-gqf8-8rwg","cves":["CVE-2020-28472"],"access":"public","patched_versions":">=2.814.0","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-29T05:06:10.000Z","recommendation":"Upgrade to version 2.814.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089198,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28472\n- https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611\n- https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425\n- https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424\n- https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304\n- https://github.com/advisories/GHSA-rrc9-gqf8-8rwg","created":"2021-11-16T21:26:43.000Z","reported_by":null,"title":"Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader","npm_advisory_id":null,"overview":"This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.","url":"https://github.com/advisories/GHSA-rrc9-gqf8-8rwg"},"1089664":{"findings":[{"version":"3.33.0","paths":["serverless-offline"]}],"metadata":null,"vulnerable_versions":"<=8.0.0","module_name":"serverless-offline","severity":"moderate","github_advisory_id":"GHSA-h97f-5258-5593","cves":["CVE-2021-38384"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-02-01T05:06:05.000Z","recommendation":"None","cwe":["CWE-863"],"found_by":null,"deleted":null,"id":1089664,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-38384\n- https://github.com/dherault/serverless-offline/issues/1259\n- https://github.com/advisories/GHSA-h97f-5258-5593","created":"2021-09-01T18:32:22.000Z","reported_by":null,"title":"Incorrect Authorization in serverless-offline","npm_advisory_id":null,"overview":"Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).","url":"https://github.com/advisories/GHSA-h97f-5258-5593"},"1090049":{"findings":[{"version":"0.19.2","paths":["axios"]}],"metadata":null,"vulnerable_versions":"<0.21.1","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-4w2v-q235-vp99","cves":["CVE-2020-28168"],"access":"public","patched_versions":">=0.21.1","cvss":{"score":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},"updated":"2023-02-01T05:05:04.000Z","recommendation":"Upgrade to version 0.21.1 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1090049,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28168\n- https://github.com/axios/axios/issues/3369\n- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55\n- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255\n- https://www.npmjs.com/package/axios\n- https://www.npmjs.com/advisories/1594\n- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-4w2v-q235-vp99","created":"2021-01-04T20:59:40.000Z","reported_by":null,"title":"Axios vulnerable to Server-Side Request Forgery","npm_advisory_id":null,"overview":"Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.","url":"https://github.com/advisories/GHSA-4w2v-q235-vp99"},"1091185":{"findings":[{"version":"4.17.15","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-02-28T22:27:17.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091185,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1091307":{"findings":[{"version":"4.17.15","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091366":{"findings":[{"version":"0.19.2","paths":["axios"]}],"metadata":null,"vulnerable_versions":"<0.21.2","module_name":"axios","severity":"high","github_advisory_id":"GHSA-cph5-m8f7-6c5x","cves":["CVE-2021-3749"],"access":"public","patched_versions":">=0.21.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-03-13T23:23:20.000Z","recommendation":"Upgrade to version 0.21.2 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091366,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3749\n- https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929\n- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31\n- https://www.npmjs.com/package/axios\n- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-cph5-m8f7-6c5x","created":"2021-09-01T18:23:02.000Z","reported_by":null,"title":"axios Inefficient Regular Expression Complexity vulnerability","npm_advisory_id":null,"overview":"axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.","url":"https://github.com/advisories/GHSA-cph5-m8f7-6c5x"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":5,"critical":0},"dependencies":130,"devDependencies":3,"optionalDependencies":0,"totalDependencies":133}}