Closed atomist[bot] closed 3 years ago
This pull request fixes security vulnerabilities open on b44f702 but 4 high, 1 moderate and 3 low vulnerabilities remain open and need manual review.
npm audit fix updated the following npm dependencies:
npm audit fix
ws
Following security vulnerability is fixed:
Regular Expression Denial of Service Upgrade to version 7.4.6 or later moderate · >=5.0.0 <7.4.6 · CVE-2021-32640 · automatic fix available
>=5.0.0 <7.4.6
ws@7.4.5
@atomist/automation-client > ws
@atomist/sdm > @atomist/automation-client > ws
ws@7.4.4
@atomist/sdm > @kubernetes/client-node > ws
Following security vulnerabilities remain open and need manual review:
Prototype Pollution Upgrade to version 1.1.8 or later high · <1.1.8 · CVE-2020-7768 · automatic fix available
<1.1.8
@grpc/grpc-js@1.0.5
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > @grpc/grpc-js
Uncontrolled Resource Consumption in json-bigint Upgrade to version 1.0.0 or later high · <1.0.0 · CVE-2020-8237 · automatic fix available
<1.0.0
json-bigint@0.3.1
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gcp-metadata > json-bigint
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gcp-metadata > json-bigint
Command Injection Upgrade to version 4.17.21 or later high · <4.17.21 · CVE-2021-23337 · automatic fix available
<4.17.21
lodash@4.17.15
@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
Prototype Pollution Upgrade to version 4.17.19 or later low · <4.17.19 · CVE-2019-10744 · automatic fix available
<4.17.19
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high · < 0.10.0 · CVE-2020-7720 · automatic fix available
< 0.10.0
node-forge@0.9.2
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low · < 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9 · CVE-2020-15168 · automatic fix available
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9
node-fetch@2.6.0
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low · <0.2.1 || >=1.0.0 <1.2.3 · automatic fix available
<0.2.1 || >=1.0.0 <1.2.3
minimist@0.0.10
@atomist/automation-client > asciify > optimist > minimist
@atomist/sdm > @atomist/automation-client > asciify > optimist > minimist
File changed:
package-lock.json
atomist/npm-vulnerability-scanner-skill · Configure
Pull request auto merged:
This pull request fixes security vulnerabilities open on b44f702 but 4 high, 1 moderate and 3 low vulnerabilities remain open and need manual review.
npm audit fix
updated the following npm dependencies:ws
7.4.5, 7.4.4 > 7.4.6Fixed vulnerabilities
Following security vulnerability is fixed:
ws
Regular Expression Denial of Service Upgrade to version 7.4.6 or later moderate ·
>=5.0.0 <7.4.6
· CVE-2021-32640 · automatic fix availablews@7.4.5
· 2 vulnerable paths@atomist/automation-client > ws
@atomist/sdm > @atomist/automation-client > ws
ws@7.4.4
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > ws
Open vulnerabilities
Following security vulnerabilities remain open and need manual review:
@grpc/grpc-js
Prototype Pollution Upgrade to version 1.1.8 or later high ·
<1.1.8
· CVE-2020-7768 · automatic fix available@grpc/grpc-js@1.0.5
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > @grpc/grpc-js
json-bigint
Uncontrolled Resource Consumption in json-bigint Upgrade to version 1.0.0 or later high ·
<1.0.0
· CVE-2020-8237 · automatic fix availablejson-bigint@0.3.1
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gcp-metadata > json-bigint
json-bigint@0.3.1
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gcp-metadata > json-bigint
lodash
Command Injection Upgrade to version 4.17.21 or later high ·
<4.17.21
· CVE-2021-23337 · automatic fix availablelodash@4.17.15
· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
lodash@4.17.15
· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
Prototype Pollution Upgrade to version 4.17.19 or later low ·
<4.17.19
· CVE-2019-10744 · automatic fix availablelodash@4.17.15
· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
lodash@4.17.15
· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
node-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0
· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
node-forge@0.9.2
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forge
ws
Regular Expression Denial of Service Upgrade to version 7.4.6 or later moderate ·
>=5.0.0 <7.4.6
· CVE-2021-32640 · automatic fix availablews@7.4.5
· 2 vulnerable paths@atomist/automation-client > ws
@atomist/sdm > @atomist/automation-client > ws
node-fetch
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low ·
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9
· CVE-2020-15168 · automatic fix availablenode-fetch@2.6.0
· 2 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
minimist
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low ·
<0.2.1 || >=1.0.0 <1.2.3
· automatic fix availableminimist@0.0.10
· 2 vulnerable paths@atomist/automation-client > asciify > optimist > minimist
@atomist/sdm > @atomist/automation-client > asciify > optimist > minimist
File changed:
package-lock.json
atomist/npm-vulnerability-scanner-skill · Configure