Update lavamoat

[socket-security[bot]]

Updated and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
gatsby-plugin-mdx	2.14.1...2.15.0	None	+16/-5	2.26 MB	pieh

🚮 Removed packages: @lavamoat/allow-scripts@1.0.5

[socket-security[bot]]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Critical CVE	minimist	1.2.5	CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0, < 1.2.6 Patched version: 1.2.6	@mdx-js/mdx@1.6.22, @metamask/eslint-config@6.0.0, @open-rpc/inspector@1.7.1, @xops.net/gatsby-openrpc-theme@1.1.8, eslint-plugin-import@2.22.1, gatsby@2.32.11, gatsby-plugin-mdx@2.15.0, loader-utils@2.0.4, monaco-editor-webpack-plugin@1.7.0 via package.json
Critical CVE	@babel/traverse	7.13.13	CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: < 7.23.2 Patched version: 7.23.2	@mdx-js/mdx@1.6.22, @xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11, gatsby-plugin-mdx@2.15.0 via package.json
Critical CVE	url-parse	1.5.7	CVE: GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse (CRITICAL) Affected versions: < 1.5.8 Patched version: 1.5.8	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
Mild CVE	url-parse	1.5.7	CVE: GHSA-jf5r-8hm2-f872 url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. (MODERATE) Affected versions: < 1.5.9 Patched version: 1.5.9	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
CVE	terser	4.8.0	CVE: GHSA-4wf5-vphf-c2xc Terser insecure use of regular expressions leads to ReDoS (HIGH) Affected versions: < 4.8.1 Patched version: 4.8.1	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11, monaco-editor-webpack-plugin@1.7.0 via package.json
CVE	devcert	1.1.3	CVE: GHSA-fp36-299x-pwmw Regular expression denial of service in devcert (HIGH) Affected versions: < 1.2.1 Patched version: 1.2.1	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
CVE	decode-uri-component	0.2.0	CVE: GHSA-w573-4hg7-7wgq decode-uri-component vulnerable to Denial of Service (DoS) (HIGH) Affected versions: < 0.2.1 Patched version: 0.2.1	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11, monaco-editor-webpack-plugin@1.7.0 via package.json
CVE	moment	2.29.1	CVE: GHSA-wc69-rhjr-hc9g Moment.js vulnerable to Inefficient Regular Expression Complexity (HIGH) Affected versions: >= 2.18.0, < 2.29.4 Patched version: 2.29.4 +1 more instances...	@open-rpc/inspector@1.7.1, @xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
CVE	jpeg-js	0.4.3	CVE: GHSA-xvf7-4v9q-58w6 Infinite loop in jpeg-js (HIGH) Affected versions: < 0.4.4 Patched version: 0.4.4	@xops.net/gatsby-openrpc-theme@1.1.8 via package.json
CVE	ua-parser-js	0.7.27	CVE: GHSA-fhg7-m89q-25r3 ReDoS Vulnerability in ua-parser-js version (HIGH) Affected versions: < 0.7.33 Patched version: 0.7.33	@open-rpc/docs-react@1.5.0, @open-rpc/inspector@1.7.1, @xops.net/gatsby-openrpc-theme@1.1.8 via package.json
CVE	json5	2.2.0	CVE: GHSA-9c47-m6qq-7p4h Prototype Pollution in JSON5 via Parse Method (HIGH) Affected versions: >= 2.0.0, < 2.2.2 Patched version: 2.2.2	@mdx-js/mdx@1.6.22, @xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11, gatsby-plugin-mdx@2.15.0, loader-utils@2.0.4 via package.json
CVE	qs	6.10.1	CVE: GHSA-hrpp-h998-j3pp qs vulnerable to Prototype Pollution (HIGH) Affected versions: >= 6.10.0, < 6.10.3 Patched version: 6.10.3	@open-rpc/inspector@1.7.1, @xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
CVE	axios	0.21.1	CVE: GHSA-cph5-m8f7-6c5x axios Inefficient Regular Expression Complexity vulnerability (HIGH) Affected versions: < 0.21.2 Patched version: 0.21.2	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
Install scripts	@lavamoat/aa	3.1.5	Install script: preinstall Source: echo evil! +4 more instances...	@lavamoat/allow-scripts@2.5.1 via package.json
New author	@lavamoat/aa	3.1.5	New Author: boneskull Previous Author: naugtur	@lavamoat/allow-scripts@2.5.1 via package.json
Mild CVE	browserslist	4.16.3	CVE: GHSA-w8qv-6jwh-64r5 Regular Expression Denial of Service in browserslist (MODERATE) Affected versions: >= 4.0.0, < 4.16.5 Patched version: 4.16.5	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
Mild CVE	semver	5.7.1	CVE: GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service (MODERATE) Affected versions: < 5.7.2 Patched version: 5.7.2	@mdx-js/mdx@1.6.22, @metamask/eslint-config@6.0.0, @open-rpc/docs-react@1.5.0, @open-rpc/inspector@1.7.1, @xops.net/gatsby-openrpc-theme@1.1.8, eslint-plugin-import@2.22.1, gatsby@2.32.11, gatsby-plugin-mdx@2.15.0, monaco-editor-webpack-plugin@1.7.0 via package.json
Mild CVE	semver	6.3.0	CVE: GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service (MODERATE) Affected versions: >= 6.0.0, < 6.3.1 Patched version: 6.3.1	@metamask/eslint-config-nodejs@6.0.0, @open-rpc/inspector@1.7.1, @xops.net/gatsby-openrpc-theme@1.1.8, eslint-plugin-node@11.1.0, gatsby@2.32.11, gatsby-plugin-mdx@2.15.0 via package.json
Mild CVE	semver	7.0.0	CVE: GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service (MODERATE) Affected versions: >= 7.0.0, < 7.5.2 Patched version: 7.5.2	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
Mild CVE	semver	7.3.5	CVE: GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service (MODERATE) Affected versions: >= 7.0.0, < 7.5.2 Patched version: 7.5.2	@metamask/eslint-config@6.0.0, @metamask/eslint-config-jest@6.0.0, @metamask/eslint-config-nodejs@6.0.0, @metamask/eslint-config-typescript@6.0.0, @open-rpc/inspector@1.7.1, @typescript-eslint/eslint-plugin@4.22.0, @typescript-eslint/parser@4.22.0, @xops.net/gatsby-openrpc-theme@1.1.8, eslint@7.24.0, eslint-config-prettier@8.2.0, eslint-plugin-import@2.22.1, eslint-plugin-jest@24.3.5, eslint-plugin-node@11.1.0, eslint-plugin-prettier@3.4.0, eslint-plugin-react@7.23.2, gatsby@2.32.11 via package.json
Mild CVE	semver	7.3.7	CVE: GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service (MODERATE) Affected versions: >= 7.0.0, < 7.5.2 Patched version: 7.5.2	@metamask/eslint-config-jest@6.0.0, @metamask/eslint-config-typescript@6.0.0, @typescript-eslint/eslint-plugin@4.22.0, @typescript-eslint/parser@4.22.0, @xops.net/gatsby-openrpc-theme@1.1.8, eslint-plugin-jest@24.3.5, gatsby@2.32.11 via package.json
Mild CVE	word-wrap	1.2.3	CVE: GHSA-j8xg-fqg3-53r7 word-wrap vulnerable to Regular Expression Denial of Service (MODERATE) Affected versions: < 1.2.4 Patched version: 1.2.4	@metamask/eslint-config@6.0.0, @metamask/eslint-config-jest@6.0.0, @metamask/eslint-config-nodejs@6.0.0, @metamask/eslint-config-typescript@6.0.0, @typescript-eslint/eslint-plugin@4.22.0, @typescript-eslint/parser@4.22.0, @xops.net/gatsby-openrpc-theme@1.1.8, eslint@7.24.0, eslint-config-prettier@8.2.0, eslint-plugin-import@2.22.1, eslint-plugin-jest@24.3.5, eslint-plugin-node@11.1.0, eslint-plugin-prettier@3.4.0, eslint-plugin-react@7.23.2, gatsby@2.32.11 via package.json
Mild CVE	follow-redirects	1.14.7	CVE: GHSA-pw2r-vq6v-hr8c Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects (MODERATE) Affected versions: < 1.14.8 Patched version: 1.14.8	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
Mild CVE	@sideway/formula	3.0.0	CVE: GHSA-c2jc-4fpr-4vhg @sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability (MODERATE) Affected versions: < 3.0.1 Patched version: 3.0.1	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
New author	destroy	1.0.4	New Author: dougwilson Previous Author: jongleberry	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
New author	regexpu-core	4.7.1	New Author: jridgewell Previous Author: mathias	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
New author	@babel/helper-skip-transparent-expression-wrappers	7.12.1	New Author: nicolo-ribaudo Previous Author: jlhwung	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
New author	nopt	6.0.0	New Author: gar Previous Author: isaacs	@lavamoat/allow-scripts@2.5.1 via package.json
No README	@babel/compat-data	7.13.12	Location: Package overview	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
No README	@babel/helper-compilation-targets	7.13.13	Location: Package overview	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
No README	@babel/plugin-transform-react-jsx-development	7.12.17	Location: Package overview	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json
No README	@babel/plugin-transform-react-pure-annotations	7.12.1	Location: Package overview	@xops.net/gatsby-openrpc-theme@1.1.8, gatsby@2.32.11 via package.json

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is a mild CVE?

Contains a low severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is a CVE?

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Why are READMEs important?

Package does not have a README. This may indicate a failed publish or a low quality package.

Add a README to to the package and publish a new version.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore terser@4.8.0
• @SocketSecurity ignore devcert@1.1.3
• @SocketSecurity ignore decode-uri-component@0.2.0
• @SocketSecurity ignore moment@2.29.1
• @SocketSecurity ignore jpeg-js@0.4.3
• @SocketSecurity ignore ua-parser-js@0.7.27
• @SocketSecurity ignore json5@2.2.0
• @SocketSecurity ignore qs@6.10.1
• @SocketSecurity ignore axios@0.21.1
• @SocketSecurity ignore browserslist@4.16.3
• @SocketSecurity ignore semver@5.7.1
• @SocketSecurity ignore semver@6.3.0
• @SocketSecurity ignore semver@7.0.0
• @SocketSecurity ignore semver@7.3.5
• @SocketSecurity ignore semver@7.3.7
• @SocketSecurity ignore word-wrap@1.2.3
• @SocketSecurity ignore follow-redirects@1.14.7
• @SocketSecurity ignore @sideway/formula@3.0.0
• @SocketSecurity ignore url-parse@1.5.7
• @SocketSecurity ignore @babel/compat-data@7.13.12
• @SocketSecurity ignore @babel/helper-compilation-targets@7.13.13
• @SocketSecurity ignore @babel/plugin-transform-react-jsx-development@7.12.17
• @SocketSecurity ignore @babel/plugin-transform-react-pure-annotations@7.12.1
• @SocketSecurity ignore destroy@1.0.4
• @SocketSecurity ignore regexpu-core@4.7.1
• @SocketSecurity ignore @babel/helper-skip-transparent-expression-wrappers@7.12.1
• @SocketSecurity ignore nopt@6.0.0
• @SocketSecurity ignore @lavamoat/aa@3.1.5
• @SocketSecurity ignore minimist@1.2.5
• @SocketSecurity ignore @babel/traverse@7.13.13