All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are ^1.28.1 || ^2.0.5 || >=3.11.4.
Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4_
moderate · >=1.0.0 <1.28.1 || >=2.0.0 <2.0.5 || >= 3.0.0 < 3.11.4 · CVE-2021-29443 · automatic fix available
jose@2.0.4 · 1 vulnerable path
@atomist/sdm > @kubernetes/client-node > openid-client > jose
This pull request fixes 1 moderate security vulnerability open on fb10a18 but 2 high and 24 low vulnerabilities remain open and need manual review.
npm audit fix
updated the following npm dependencies:jose
2.0.4 > 2.0.5Fixed vulnerabilities
Following security vulnerability is fixed:
jose
Observable timing discrepancy _### Patches
All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are
^1.28.1 || ^2.0.5 || >=3.11.4
.Users should upgrade their v1.x dependency to
^1.28.1
, their v2.x dependency to^2.0.5
, and their v3.x dependency to^3.11.4
_ moderate ·>=1.0.0 <1.28.1 || >=2.0.0 <2.0.5 || >= 3.0.0 < 3.11.4
· CVE-2021-29443 · automatic fix availablejose@2.0.4
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > openid-client > jose
Open vulnerabilities
Following security vulnerabilities remain open and need manual review:
node-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0
· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
node-forge@0.9.2
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
node-fetch
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low ·
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9
· CVE-2020-15168 · automatic fix availablenode-fetch@2.6.0
· 2 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
lodash
Prototype Pollution Upgrade to version 4.17.19 or later low ·
<4.17.19
· CVE-2019-10744 · automatic fix availablelodash@4.17.15
· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
lodash@4.17.15
· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
minimist
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low ·
<0.2.1 || >=1.0.0 <1.2.3
· automatic fix availableminimist@0.0.10
· 2 vulnerable paths@atomist/automation-client > asciify > optimist > minimist
@atomist/sdm > @atomist/automation-client > asciify > optimist > minimist
File changed:
package-lock.json
atomist/npm-vulnerability-scanner-skill · Configure