Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 2 vulnerabilities #146

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

fix: package.json & package-lock.json to reduce vulnerabilities

65d6add
Select commit
Loading
Failed to load commit list.
Open

[Snyk] Fix for 2 vulnerabilities #146

fix: package.json & package-lock.json to reduce vulnerabilities
65d6add
Select commit
Loading
Failed to load commit list.
Mend Bolt for GitHub / WhiteSource Security Check failed Nov 28, 2023 in 5m 14s

Security Report

You have successfully remediated 37 vulnerabilities, but introduced 26 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
MSC-2023-16598

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> ❌ fsevents-1.2.7.tgz (Vulnerable Library)

Critical 9.8 fsevents-1.2.7.tgz None
CVE-2023-45311

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> ❌ fsevents-1.2.7.tgz (Vulnerable Library)

Critical 9.8 fsevents-1.2.7.tgz Upgrade to version: fsevents - 1.2.11 None
CVE-2023-26136

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> request-2.88.0.tgz (Root Library)

   -> ❌ tough-cookie-2.4.3.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.4.3.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2021-3918

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> request-2.88.0.tgz (Root Library)

   -> http-signature-1.2.0.tgz

     -> jsprim-1.4.1.tgz

       -> ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Critical 9.8 json-schema-0.2.3.tgz Upgrade to version: json-schema - 0.4.0 #97
CVE-2020-7788

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> gulp-cli-2.0.1.tgz

     -> liftoff-2.5.0.tgz

       -> findup-sync-2.0.0.tgz

         -> resolve-dir-1.0.1.tgz

           -> global-modules-1.0.0.tgz

             -> global-prefix-1.0.2.tgz

               -> ❌ ini-1.3.5.tgz (Vulnerable Library)

Critical 9.8 ini-1.3.5.tgz Upgrade to version: v1.3.6 #50
CVE-2020-7774

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> gulp-cli-2.0.1.tgz

     -> yargs-7.1.0.tgz

       -> ❌ y18n-3.2.1.tgz (Vulnerable Library)

Critical 9.8 y18n-3.2.1.tgz Upgrade to version: 3.2.2, 4.0.1, 5.0.5 #48
CVE-2020-28503

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> gulp-cli-2.0.1.tgz

     -> ❌ copy-props-2.0.4.tgz (Vulnerable Library)

Critical 9.8 copy-props-2.0.4.tgz Upgrade to version: copy-props - 2.0.5 #70
CVE-2020-36327

Path to vulnerable library: /vendor/bundle/ruby/3.2.0/cache/bundler-2.0.1.gem

Dependency Hierarchy:

-> ❌ bundler-2.0.1.gem (Vulnerable Library)

High 8.8 bundler-2.0.1.gem Upgrade to version: bundler - 2.2.10 None
CVE-2021-37713

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> fsevents-1.2.7.tgz

         -> node-pre-gyp-0.10.3.tgz

           -> ❌ tar-4.4.8.tgz (Vulnerable Library)

High 8.6 tar-4.4.8.tgz Upgrade to version: tar - 4.4.18,5.0.10,6.1.9 #92
CVE-2021-37712

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> fsevents-1.2.7.tgz

         -> node-pre-gyp-0.10.3.tgz

           -> ❌ tar-4.4.8.tgz (Vulnerable Library)

High 8.6 tar-4.4.8.tgz Upgrade to version: tar - 4.4.18,5.0.10,6.1.9 #87
CVE-2021-37701

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> fsevents-1.2.7.tgz

         -> node-pre-gyp-0.10.3.tgz

           -> ❌ tar-4.4.8.tgz (Vulnerable Library)

High 8.6 tar-4.4.8.tgz Upgrade to version: tar - 4.4.16,5.0.8,6.1.7 #91
CVE-2021-32804

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> fsevents-1.2.7.tgz

         -> node-pre-gyp-0.10.3.tgz

           -> ❌ tar-4.4.8.tgz (Vulnerable Library)

High 8.1 tar-4.4.8.tgz Upgrade to version: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1 #89
CVE-2021-32803

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> glob-watcher-5.0.3.tgz

     -> chokidar-2.1.2.tgz

       -> fsevents-1.2.7.tgz

         -> node-pre-gyp-0.10.3.tgz

           -> ❌ tar-4.4.8.tgz (Vulnerable Library)

High 8.1 tar-4.4.8.tgz Upgrade to version: tar - 3.2.3, 4.4.15, 5.0.7, 6.1.2 #90
CVE-2019-3881

Path to vulnerable library: /vendor/bundle/ruby/3.2.0/cache/bundler-2.0.1.gem

Dependency Hierarchy:

-> ❌ bundler-2.0.1.gem (Vulnerable Library)

High 7.8 bundler-2.0.1.gem Upgrade to version: v2.1.0.pre.3 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> googleapis-39.2.0.tgz (Root Library)

   -> google-auth-library-3.1.2.tgz

     -> ❌ semver-5.6.0.tgz (Vulnerable Library)

High 7.5 semver-5.6.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-24999

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> request-2.88.0.tgz (Root Library)

   -> ❌ qs-6.5.2.tgz (Vulnerable Library)

High 7.5 qs-6.5.2.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 #134
CVE-2022-24772

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> language-3.0.0.tgz (Root Library)

   -> google-gax-1.15.4.tgz

     -> google-auth-library-5.10.1.tgz

       -> gtoken-4.1.4.tgz

         -> google-p12-pem-2.0.5.tgz

           -> ❌ node-forge-0.10.0.tgz (Vulnerable Library)

High 7.5 node-forge-0.10.0.tgz Upgrade to version: node-forge - 1.3.0 #115
CVE-2022-24771

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> language-3.0.0.tgz (Root Library)

   -> google-gax-1.15.4.tgz

     -> google-auth-library-5.10.1.tgz

       -> gtoken-4.1.4.tgz

         -> google-p12-pem-2.0.5.tgz

           -> ❌ node-forge-0.10.0.tgz (Vulnerable Library)

High 7.5 node-forge-0.10.0.tgz Upgrade to version: node-forge - 1.3.0 #116
CVE-2021-3803

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> cheerio-1.0.0-rc.2.tgz (Root Library)

   -> css-select-1.2.0.tgz

     -> ❌ nth-check-1.0.2.tgz (Vulnerable Library)

High 7.5 nth-check-1.0.2.tgz Upgrade to version: nth-check - v2.0.1 #98
CVE-2021-23343

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> gulp-cli-2.0.1.tgz

     -> liftoff-2.5.0.tgz

       -> resolve-1.10.0.tgz

         -> ❌ path-parse-1.0.6.tgz (Vulnerable Library)

High 7.5 path-parse-1.0.6.tgz Upgrade to version: path-parse - 1.0.7 #75
CVE-2021-43809

Path to vulnerable library: /vendor/bundle/ruby/3.2.0/cache/bundler-2.0.1.gem

Dependency Hierarchy:

-> ❌ bundler-2.0.1.gem (Vulnerable Library)

High 7.3 bundler-2.0.1.gem Upgrade to version: bundler - 2.2.33 None
WS-2022-0008

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> language-3.0.0.tgz (Root Library)

   -> google-gax-1.15.4.tgz

     -> google-auth-library-5.10.1.tgz

       -> gtoken-4.1.4.tgz

         -> google-p12-pem-2.0.5.tgz

           -> ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Medium 6.6 node-forge-0.10.0.tgz Upgrade to version: node-forge - 1.0.0 #101
CVE-2023-45857

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> browser-sync-2.28.0.tgz (Root Library)

   -> localtunnel-2.0.2.tgz

     -> ❌ axios-0.21.4.tgz (Vulnerable Library)

Medium 6.5 axios-0.21.4.tgz Upgrade to version: axios - 1.6.0 None
CVE-2022-0122

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> language-3.0.0.tgz (Root Library)

   -> google-gax-1.15.4.tgz

     -> google-auth-library-5.10.1.tgz

       -> gtoken-4.1.4.tgz

         -> google-p12-pem-2.0.5.tgz

           -> ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Medium 6.1 node-forge-0.10.0.tgz Upgrade to version: node-forge - 1.0.0 #99
CVE-2022-24773

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> language-3.0.0.tgz (Root Library)

   -> google-gax-1.15.4.tgz

     -> google-auth-library-5.10.1.tgz

       -> gtoken-4.1.4.tgz

         -> google-p12-pem-2.0.5.tgz

           -> ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Medium 5.3 node-forge-0.10.0.tgz Upgrade to version: node-forge - 1.3.0 #114
CVE-2021-23362

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

-> gulp-4.0.0.tgz (Root Library)

   -> gulp-cli-2.0.1.tgz

     -> yargs-7.1.0.tgz

       -> read-pkg-up-1.0.1.tgz

         -> read-pkg-1.1.0.tgz

           -> normalize-package-data-2.5.0.tgz

             -> ❌ hosted-git-info-2.7.1.tgz (Vulnerable Library)

Medium 5.3 hosted-git-info-2.7.1.tgz Upgrade to version: hosted-git-info - 2.8.9,3.0.8 #72

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2022-2421 socket.io-parser-3.2.0.tgz
CVE-2021-23434 object-path-0.9.2.tgz
WS-2020-0091 http-proxy-1.15.2.tgz
CVE-2023-32732 grpc-v1.19.0
CVE-2023-33953 grpc-v1.19.0
CVE-2021-3805 object-path-0.9.2.tgz
WS-2020-0368 node-v7.6.0
CVE-2023-45857 axios-0.17.1.tgz
CVE-2018-7159 io.js
CVE-2020-15256 object-path-0.9.2.tgz
CVE-2020-28502 xmlhttprequest-ssl-1.5.5.tgz
CVE-2018-25032 node-v7.6.0
WS-2020-0443 socket.io-2.1.1.tgz
CVE-2018-17567 jekyll-v3.7.1
CVE-2022-37434 node-v7.6.0
CVE-2020-7608 yargs-parser-4.2.1.tgz
CVE-2021-31597 xmlhttprequest-ssl-1.5.5.tgz
CVE-2020-28168 axios-0.17.1.tgz
CVE-2021-3749 axios-0.17.1.tgz
CVE-2023-32731 grpc-v1.19.0
CVE-2020-28481 socket.io-2.1.1.tgz
CVE-2020-14001 kramdown-REL_1_17_0
CVE-2020-15168 node-fetch-2.3.0.tgz
CVE-2022-24999 qs-6.2.3.tgz
CVE-2020-36048 engine.io-3.2.1.tgz
CVE-2020-7768 grpc-js-0.3.6.tgz
CVE-2022-2421 socket.io-parser-3.3.0.tgz
CVE-2020-36049 socket.io-parser-3.2.0.tgz
CVE-2022-25878 protobufjs-6.8.8.tgz
CVE-2021-32740 addressable-addressable-2.6.0
CVE-2022-25878 protobufjs-5.0.3.tgz
CVE-2020-36049 socket.io-parser-3.3.0.tgz
CVE-2020-1971 ring-fips-20180730
CVE-2019-10742 axios-0.17.1.tgz
CVE-2022-0235 node-fetch-2.3.0.tgz
CVE-2020-7768 grpc-1.19.0.tgz
CVE-2022-41940 engine.io-3.2.1.tgz

Base branch total remaining vulnerabilities: 85
Base branch commit: null


Total libraries scanned: 756

Scan token: 7f23acb36c72451c970e57ffff288604

View more details on Mend Bolt for GitHub