atomist[bot]
commented
3 years ago Pull request auto merged:
- No reviews
- 2 successful checks
Closed atomist[bot] closed 3 years ago
atomist[bot]
commented
3 years ago Pull request auto merged:
This pull request fixes 1 moderate security vulnerability open on fb10a18 but 2 high and 24 low vulnerabilities remain open and need manual review.
npm audit fixupdated the following npm dependencies:jose2.0.4 > 2.0.5Fixed vulnerabilities
Following security vulnerability is fixed:
jose
Observable timing discrepancy _### Patches
All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are
^1.28.1 || ^2.0.5 || >=3.11.4.Users should upgrade their v1.x dependency to
^1.28.1, their v2.x dependency to^2.0.5, and their v3.x dependency to^3.11.4_ moderate ·>=1.0.0 <1.28.1 || >=2.0.0 <2.0.5 || >= 3.0.0 < 3.11.4· CVE-2021-29443 · automatic fix availablejose@2.0.4· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > openid-client > joseOpen vulnerabilities
Following security vulnerabilities remain open and need manual review:
node-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forgenode-forge@0.9.2· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forgenode-fetch
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low ·
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9· CVE-2020-15168 · automatic fix availablenode-fetch@2.6.0· 2 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetchlodash
Prototype Pollution Upgrade to version 4.17.19 or later low ·
<4.17.19· CVE-2019-10744 · automatic fix availablelodash@4.17.15· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodashlodash@4.17.15· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodashminimist
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low ·
<0.2.1 || >=1.0.0 <1.2.3· automatic fix availableminimist@0.0.10· 2 vulnerable paths@atomist/automation-client > asciify > optimist > minimist@atomist/sdm > @atomist/automation-client > asciify > optimist > minimistFile changed:
package-lock.jsonatomist/npm-vulnerability-scanner-skill · Configure