atomist[bot]
commented
3 years ago Pull request auto merged:
- No reviews
- 2 successful checks
Closed atomist[bot] closed 3 years ago
atomist[bot]
commented
3 years ago Pull request auto merged:
This pull request fixes security vulnerabilities open on 7f4b62a but 4 high and 3 low vulnerabilities remain open and need manual review.
npm audit fixupdated the following npm dependencies:google-gax1.0.5 > 1.15.4google-p12-pem0.9.2 > 2.0.5normalize-url4.5.0 > 4.5.1Fixed vulnerabilities
Following security vulnerabilities are fixed:
normalize-url
Regular Expression Denial of Service Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later high ·
>=4.3.0 <4.5.1 || >=5.0.0 <5.3.1 || >=6.0.0 <6.0.1· CVE-2021-33502 · automatic fix availablenormalize-url@4.5.0· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > openid-client > got > cacheable-request > normalize-url@grpc/grpc-js
Prototype Pollution Upgrade to version 1.1.8 or later high ·
<1.1.8· CVE-2020-7768 · automatic fix available@grpc/grpc-js@1.0.5· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > @grpc/grpc-jsnode-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forgenode-forge@0.9.2· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gtoken > google-p12-pem > node-forgeOpen vulnerabilities
Following security vulnerabilities remain open and need manual review:
normalize-url
Regular Expression Denial of Service Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later high ·
>=4.3.0 <4.5.1 || >=5.0.0 <5.3.1 || >=6.0.0 <6.0.1· CVE-2021-33502 · automatic fix availablenormalize-url@4.5.0· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > openid-client > got > cacheable-request > normalize-urljson-bigint
Uncontrolled Resource Consumption in json-bigint Upgrade to version 1.0.0 or later high ·
<1.0.0· CVE-2020-8237 · automatic fix availablejson-bigint@0.3.1· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gcp-metadata > json-bigintjson-bigint@0.3.1· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gcp-metadata > json-bigintlodash
Command Injection Upgrade to version 4.17.21 or later high ·
<4.17.21· CVE-2021-23337 · automatic fix availablelodash@4.17.15· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodashlodash@4.17.15· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodashPrototype Pollution Upgrade to version 4.17.19 or later low ·
<4.17.19· CVE-2019-10744 · automatic fix availablelodash@4.17.15· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodashlodash@4.17.15· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodashnode-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forgenode-fetch
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low ·
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9· CVE-2020-15168 · automatic fix availablenode-fetch@2.6.0· 2 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetchminimist
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low ·
<0.2.1 || >=1.0.0 <1.2.3· automatic fix availableminimist@0.0.10· 2 vulnerable paths@atomist/automation-client > asciify > optimist > minimist@atomist/sdm > @atomist/automation-client > asciify > optimist > minimistFile changed:
package-lock.jsonatomist/npm-vulnerability-scanner-skill · Configure