Closed breautek closed 3 years ago
Merging #879 (96309ed) into master (dd872f0) will not change coverage. The diff coverage is
n/a
.
@@ Coverage Diff @@
## master #879 +/- ##
=======================================
Coverage 91.13% 91.13%
=======================================
Files 45 45
Lines 2053 2053
=======================================
Hits 1871 1871
Misses 182 182
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update dd872f0...96309ed. Read the comment docs.
Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?
I just checked package.json again and found out all URLs point to a totalpave registry:
https://registry.totalpave.com
@breautek Please rebuild package-lock.json again with the NPM registry setup.
Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
Argh! Oops!
That's work stuff bleeding in... ill fix it when i get home
Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?
Npm will still work with a message that "it will try its best".
But not really sure what that means exactly.
@NiklasMerz do you think there would be pushback if we start adding .npmrc configs to our cordova repos to re-assert npm registry is npms official registry?
Would avoid mistakes like this in the future by having a project level npm config.
Set my registry back to registry.npmjs.org
and regenerated the package-lock. This PR is rebased for the correction.
Mostly we should not be committing package-lock, except for the cli itself ... am I missing something?
Package-lock is intended to be committed, as it ensures that two developers on two different machines will install the exact same dependencies when they run npm install.
Not to be confused when users are using this package as a library, in which case their root package-lock is used.
From NPM: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json
This file is intended to be committed into source repositories, and serves various purposes:
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
Facilitate greater visibility of tree changes through readable source control diffs.
Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.
This sums up what I think ... Apps yes, libs no
https://github.com/sindresorhus/ama/issues/479#issuecomment-310661514
There was a consensus back in 2018 via https://github.com/apache/cordova/issues/4#issuecomment-420728477 to add package-locks, which is why variety of our packages have package-locks.
If you ask my personal opinion on package-locks, I hate them, mostly for the reasons described by sindresorhus.
However, not committing them still presents the same issues described by sindresorhus, unless we (the maintainers) are constantly wiping the package-lock & node_modules and reinstalling from scratch. We could configure NPM via .npmrc
to disable package locks so they won't be generated in the first place but this also have a few consequences:
npm prune
.npm install
instead.Despite it's flaws I think the benefits of package-lock still outweighs the consequences of not committing/disabling package-lock.
Okay, yeah that makes sense. Let's commit 'em
Platforms affected
Motivation and Context
Resolves several sub-dependency vulnerabilities
Audit JSON Log
```json { "actions": [ { "isMajor": true, "action": "install", "resolves": [ { "id": 1677, "path": "init-package-json>npm-package-arg>hosted-git-info", "dev": false, "optional": false, "bundled": false }, { "id": 1677, "path": "init-package-json>read-package-json>normalize-package-data>hosted-git-info", "dev": false, "optional": false, "bundled": false } ], "module": "init-package-json", "target": "2.0.5" }, { "action": "update", "resolves": [ { "id": 1556, "path": "codecov>teeny-request>node-fetch", "dev": true, "optional": false, "bundled": false } ], "module": "node-fetch", "target": "2.6.2", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1654, "path": "nyc>yargs>y18n", "dev": true, "optional": false, "bundled": false } ], "module": "y18n", "target": "4.0.3", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1673, "path": "cordova-common>@netflix/nerror>lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1673, "path": "cordova-fetch>cordova-common>@netflix/nerror>lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1673, "path": "cordova-android>cordova-common>@netflix/nerror>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>table>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>table>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>lodash", "dev": true, "optional": false, "bundled": false } ], "module": "lodash", "target": "4.17.21", "depth": 10 }, { "action": "update", "resolves": [ { "id": 1674, "path": "cordova-common>underscore", "dev": false, "optional": false, "bundled": false }, { "id": 1674, "path": "cordova-fetch>cordova-common>underscore", "dev": false, "optional": false, "bundled": false }, { "id": 1674, "path": "cordova-android>cordova-common>underscore", "dev": true, "optional": false, "bundled": false } ], "module": "underscore", "target": "1.13.1", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1677, "path": "cordova-fetch>npm-package-arg>hosted-git-info", "dev": false, "optional": false, "bundled": false } ], "module": "hosted-git-info", "target": "3.0.8", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1751, "path": "cordova-common>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "cordova-fetch>cordova-common>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "cordova-android>cordova-common>fast-glob>glob-parent", "dev": true, "optional": false, "bundled": false }, { "id": 1751, "path": "globby>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "@cordova/eslint-config>eslint>glob-parent", "dev": true, "optional": false, "bundled": false }, { "id": 1751, "path": "rewire>eslint>glob-parent", "dev": true, "optional": false, "bundled": false } ], "module": "glob-parent", "target": "5.1.2", "depth": 4 }, { "action": "update", "resolves": [ { "id": 1773, "path": "cordova-fetch>resolve>path-parse", "dev": false, "optional": false, "bundled": false }, { "id": 1773, "path": "init-package-json>read-package-json>normalize-package-data>resolve>path-parse", "dev": false, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse", "dev": true, "optional": false, "bundled": false } ], "module": "path-parse", "target": "1.0.7", "depth": 7 }, { "action": "review", "module": "xmldom", "resolves": [ { "id": 1650, "path": "cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1650, "path": "cordova-fetch>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1650, "path": "cordova-android>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-fetch>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-android>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false } ] }, { "action": "review", "module": "hosted-git-info", "resolves": [ { "id": 1677, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info", "dev": true, "optional": false, "bundled": false } ] } ], "advisories": { "1556": { "findings": [ { "version": "2.6.0", "paths": [ "codecov>teeny-request>node-fetch" ] } ], "id": 1556, "created": "2020-09-10T17:55:53.926Z", "updated": "2020-09-10T17:55:53.926Z", "deleted": null, "title": "Denial of Service", "found_by": { "link": "", "name": "Unknown", "email": "" }, "reported_by": { "link": "", "name": "Unknown", "email": "" }, "module_name": "node-fetch", "cves": [ "CVE-2020-15168" ], "vulnerable_versions": "< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9", "patched_versions": ">=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9", "overview": "Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n\nFor most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.", "recommendation": "Upgrade to version 2.6.1 or 3.0.0-beta.9", "references": "- https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r", "access": "public", "severity": "low", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1556" }, "1650": { "findings": [ { "version": "0.1.31", "paths": [ "cordova-common>plist>xmldom", "cordova-fetch>cordova-common>plist>xmldom", "cordova-android>cordova-common>plist>xmldom" ] } ], "id": 1650, "created": "2021-03-12T22:42:38.486Z", "updated": "2021-03-12T22:42:38.486Z", "deleted": null, "title": "Misinterpretation of malicious XML input", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "xmldom", "cves": [ "CVE-2021-21366" ], "vulnerable_versions": "<0.5.0", "patched_versions": ">=0.5.0", "overview": "### Impact\n\n`xmldom` versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.\n\nThis may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.", "recommendation": "Update to 0.5.0 or later", "references": "- [GitHub Security Advisory](https://github.com/advisories/GHSA-h6q6-9hqw-rwfv)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21366)\n- [Similar advisory for Go standard library](https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/)", "access": "public", "severity": "low", "cwe": "CWE-115", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1650" }, "1654": { "findings": [ { "version": "4.0.0", "paths": [ "nyc>yargs>y18n" ] } ], "id": 1654, "created": "2021-03-12T23:16:43.813Z", "updated": "2021-03-29T16:07:59.314Z", "deleted": null, "title": "Prototype Pollution", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "y18n", "cves": [ "CVE-2020-7774" ], "vulnerable_versions": "<3.2.2||=4.0.0||>=5.0.0 <5.0.5", "patched_versions": ">=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0", "overview": "`y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n```\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```", "recommendation": "Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7774)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-Y18N-1021887)", "access": "public", "severity": "high", "cwe": "CWE-1321", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1654" }, "1673": { "findings": [ { "version": "4.17.19", "paths": [ "cordova-common>@netflix/nerror>lodash", "cordova-fetch>cordova-common>@netflix/nerror>lodash", "cordova-android>cordova-common>@netflix/nerror>lodash", "@cordova/eslint-config>eslint>inquirer>lodash", "rewire>eslint>inquirer>lodash", "@cordova/eslint-config>eslint>lodash", "rewire>eslint>lodash", "@cordova/eslint-config>eslint>table>lodash", "rewire>eslint>table>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash", "nyc>istanbul-lib-instrument>@babel/core>lodash" ] } ], "id": 1673, "created": "2021-05-06T16:14:39.514Z", "updated": "2021-05-06T16:24:12.299Z", "deleted": null, "title": "Command Injection", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "lodash", "cves": [ "CVE-2021-23337" ], "vulnerable_versions": "<4.17.21", "patched_versions": ">=4.17.21", "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "recommendation": "Upgrade to version 4.17.21 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)", "access": "public", "severity": "high", "cwe": "CWE-77", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1673" }, "1674": { "findings": [ { "version": "1.10.2", "paths": [ "cordova-common>underscore", "cordova-fetch>cordova-common>underscore", "cordova-android>cordova-common>underscore" ] } ], "id": 1674, "created": "2021-05-06T16:14:45.792Z", "updated": "2021-05-06T16:26:42.768Z", "deleted": null, "title": "Arbitrary Code Execution", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "underscore", "cves": [ "CVE-2021-23358" ], "vulnerable_versions": ">=1.3.2 <1.12.1", "patched_versions": ">=1.12.1", "overview": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", "recommendation": "Upgrade to versions 1.12.1 or 1.13.0-2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23358)\n- [GitHub Advisory](https://github.com/advisories/GHSA-cf4h-3jhx-xvhq)\n", "access": "public", "severity": "high", "cwe": "CWE-94", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1674" }, "1677": { "findings": [ { "version": "3.0.5", "paths": [ "cordova-fetch>npm-package-arg>hosted-git-info" ] }, { "version": "2.8.8", "paths": [ "init-package-json>npm-package-arg>hosted-git-info" ] }, { "version": "2.8.8", "paths": [ "init-package-json>read-package-json>normalize-package-data>hosted-git-info", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info" ] } ], "id": 1677, "created": "2021-05-06T16:15:08.412Z", "updated": "2021-05-07T17:41:14.327Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "hosted-git-info", "cves": [ "CVE-2021-23362" ], "vulnerable_versions": "<2.8.9 || >=3.0.0 <3.0.8", "patched_versions": ">=2.8.9 <3.0.0 || >=3.0.8", "overview": "`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity", "recommendation": "Upgrade to version 3.0.8 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1677" }, "1751": { "findings": [ { "version": "5.1.1", "paths": [ "cordova-common>fast-glob>glob-parent", "cordova-fetch>cordova-common>fast-glob>glob-parent", "cordova-android>cordova-common>fast-glob>glob-parent", "globby>fast-glob>glob-parent", "@cordova/eslint-config>eslint>glob-parent", "rewire>eslint>glob-parent" ] } ], "id": 1751, "created": "2021-06-07T21:57:10.135Z", "updated": "2021-06-07T21:58:07.745Z", "deleted": null, "title": "Regular expression denial of service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "glob-parent", "cves": [ "CVE-2020-28469" ], "vulnerable_versions": "<5.1.2", "patched_versions": ">=5.1.2", "overview": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.", "recommendation": "Upgrade to version 5.1.2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1751" }, "1769": { "findings": [ { "version": "0.1.31", "paths": [ "cordova-common>plist>xmldom", "cordova-fetch>cordova-common>plist>xmldom", "cordova-android>cordova-common>plist>xmldom" ] } ], "id": 1769, "created": "2021-08-03T16:57:27.020Z", "updated": "2021-08-03T16:57:57.748Z", "deleted": null, "title": "Misinterpretation of malicious XML input", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "xmldom", "cves": [ "CVE-2021-32796" ], "vulnerable_versions": "<0.7.0", "patched_versions": ">=0.7.0", "overview": "### Impact\nxmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Patches\nUpdate to 0.7.0\n(see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it's resolved)\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)\n* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`\n", "recommendation": "Upgrade to version 0.7.0 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32796)\n- [GitHub Advisory](https://github.com/advisories/GHSA-5fg8-2547-mr8q)\n", "access": "public", "severity": "moderate", "cwe": "CWE-116", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1769" }, "1773": { "findings": [ { "version": "1.0.6", "paths": [ "cordova-fetch>resolve>path-parse", "init-package-json>read-package-json>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse" ] } ], "id": 1773, "created": "2021-08-10T15:59:47.884Z", "updated": "2021-08-10T16:00:43.559Z", "deleted": null, "title": "Regular Expression Denial of Service in path-parse", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "path-parse", "cves": [ "CVE-2021-23343" ], "vulnerable_versions": "<1.0.7", "patched_versions": ">=1.0.7", "overview": "Affected versions of `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", "recommendation": "Upgrade to version 1.0.7 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23343)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hj48-42vr-x3v9)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1773" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 20, "high": 50, "critical": 0 }, "dependencies": 196, "devDependencies": 310, "optionalDependencies": 0, "totalDependencies": 506 }, "runId": "24f0391a-5957-4d0e-b2b1-e4fde692a0df" } ```Description
Testing
Checklist
(platform)
if this change only applies to one platform (e.g.(android)
)