Closed atomist[bot] closed 3 years ago
This pull request fixes 1 high security vulnerability open on d0619c7 but 4 high and 3 low vulnerabilities remain open and need manual review.
npm audit fix updated the following npm dependencies:
npm audit fix
google-p12-pem
normalize-url
tar
Following security vulnerabilities are fixed:
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization Upgrade to versions 4.4.18, 5.0.10, 6.1.9 or later high · <4.4.18 || >=5.0.0 <5.0.10 || >=6.0.0 <6.1.9 · CVE-2021-37713 · automatic fix available
<4.4.18 || >=5.0.0 <5.0.10 || >=6.0.0 <6.1.9
tar@6.1.6
@atomist/sdm > @kubernetes/client-node > tar
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to versions 4.4.18, 5.0.10, 6.1.9 or later high · <4.4.18 || >=5.0.0 <5.0.10 || >=6.0.0 <6.1.9 · CVE-2021-37712 · automatic fix available
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to versions 4.4.16, 5.0.8, 6.1.7 or later high · <4.4.16 || >=5.0.0 <5.0.8 || >=6.0.0 <6.1.7 · CVE-2021-37701 · automatic fix available
<4.4.16 || >=5.0.0 <5.0.8 || >=6.0.0 <6.1.7
Regular Expression Denial of Service Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later high · >=4.3.0 <4.5.1 || >=5.0.0 <5.3.1 || >=6.0.0 <6.0.1 · CVE-2021-33502 · automatic fix available
>=4.3.0 <4.5.1 || >=5.0.0 <5.3.1 || >=6.0.0 <6.0.1
normalize-url@4.5.0
@atomist/sdm > @kubernetes/client-node > openid-client > got > cacheable-request > normalize-url
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high · < 0.10.0 · CVE-2020-7720 · automatic fix available
< 0.10.0
node-forge@0.9.2
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
Following security vulnerabilities remain open and need manual review:
Uncontrolled Resource Consumption in json-bigint Upgrade to version 1.0.0 or later high · <1.0.0 · CVE-2020-8237 · automatic fix available
<1.0.0
json-bigint@0.3.1
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gcp-metadata > json-bigint
@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gcp-metadata > json-bigint
Command Injection Upgrade to version 4.17.21 or later high · <4.17.21 · CVE-2021-23337 · automatic fix available
<4.17.21
lodash@4.17.15
@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
Prototype Pollution Upgrade to version 4.17.19 or later low · <4.17.19 · CVE-2019-10744 · automatic fix available
<4.17.19
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low · < 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9 · CVE-2020-15168 · automatic fix available
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9
node-fetch@2.6.0
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low · <0.2.1 || >=1.0.0 <1.2.3 · automatic fix available
<0.2.1 || >=1.0.0 <1.2.3
minimist@0.0.10
@atomist/automation-client > asciify > optimist > minimist
@atomist/sdm > @atomist/automation-client > asciify > optimist > minimist
File changed:
package-lock.json
atomist/npm-vulnerability-scanner-skill · Configure
Pull request auto merged:
This pull request fixes 1 high security vulnerability open on d0619c7 but 4 high and 3 low vulnerabilities remain open and need manual review.
npm audit fix
updated the following npm dependencies:google-p12-pem
0.9.2 > 2.0.5normalize-url
4.5.0 > 4.5.1tar
6.1.6 > 6.1.11Fixed vulnerabilities
Following security vulnerabilities are fixed:
tar
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization Upgrade to versions 4.4.18, 5.0.10, 6.1.9 or later high ·
<4.4.18 || >=5.0.0 <5.0.10 || >=6.0.0 <6.1.9
· CVE-2021-37713 · automatic fix availabletar@6.1.6
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > tar
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to versions 4.4.18, 5.0.10, 6.1.9 or later high ·
<4.4.18 || >=5.0.0 <5.0.10 || >=6.0.0 <6.1.9
· CVE-2021-37712 · automatic fix availabletar@6.1.6
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > tar
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links Upgrade to versions 4.4.16, 5.0.8, 6.1.7 or later high ·
<4.4.16 || >=5.0.0 <5.0.8 || >=6.0.0 <6.1.7
· CVE-2021-37701 · automatic fix availabletar@6.1.6
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > tar
normalize-url
Regular Expression Denial of Service Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later high ·
>=4.3.0 <4.5.1 || >=5.0.0 <5.3.1 || >=6.0.0 <6.0.1
· CVE-2021-33502 · automatic fix availablenormalize-url@4.5.0
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > openid-client > got > cacheable-request > normalize-url
node-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0
· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
Open vulnerabilities
Following security vulnerabilities remain open and need manual review:
normalize-url
Regular Expression Denial of Service Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later high ·
>=4.3.0 <4.5.1 || >=5.0.0 <5.3.1 || >=6.0.0 <6.0.1
· CVE-2021-33502 · automatic fix availablenormalize-url@4.5.0
· 1 vulnerable path@atomist/sdm > @kubernetes/client-node > openid-client > got > cacheable-request > normalize-url
json-bigint
Uncontrolled Resource Consumption in json-bigint Upgrade to version 1.0.0 or later high ·
<1.0.0
· CVE-2020-8237 · automatic fix availablejson-bigint@0.3.1
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gcp-metadata > json-bigint
json-bigint@0.3.1
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-gax > google-auth-library > gcp-metadata > json-bigint
lodash
Command Injection Upgrade to version 4.17.21 or later high ·
<4.17.21
· CVE-2021-23337 · automatic fix availablelodash@4.17.15
· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
lodash@4.17.15
· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
Prototype Pollution Upgrade to version 4.17.19 or later low ·
<4.17.19
· CVE-2019-10744 · automatic fix availablelodash@4.17.15
· 2 vulnerable paths@atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
@atomist/sdm > @atomist/automation-client > @graphql-codegen/core > graphql-toolkit > lodash
lodash@4.17.15
· 18 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/code-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/core > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/file-loading > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/graphql-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/json-file-loader > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/schema-merging > @graphql-toolkit/common > lodash
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > @graphql-toolkit/common > lodash
node-forge
Prototype Pollution in node-forge Upgrade to version 0.10.0 or later high ·
< 0.10.0
· CVE-2020-7720 · automatic fix availablenode-forge@0.9.2
· 1 vulnerable path@atomist/sdm-function-gcp > @google-cloud/pubsub > google-auth-library > gtoken > google-p12-pem > node-forge
node-fetch
Denial of Service Upgrade to version 2.6.1 or 3.0.0-beta.9 low ·
< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9
· CVE-2020-15168 · automatic fix availablenode-fetch@2.6.0
· 2 vulnerable paths@atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
@atomist/sdm > @atomist/automation-client > graphql-toolkit > @graphql-toolkit/url-loader > cross-fetch > node-fetch
minimist
Prototype Pollution Upgrade to versions 0.2.1, 1.2.3 or later low ·
<0.2.1 || >=1.0.0 <1.2.3
· automatic fix availableminimist@0.0.10
· 2 vulnerable paths@atomist/automation-client > asciify > optimist > minimist
@atomist/sdm > @atomist/automation-client > asciify > optimist > minimist
File changed:
package-lock.json
atomist/npm-vulnerability-scanner-skill · Configure