guardrails[bot]
commented
2 years ago :warning: We detected 28 security issues in this pull request:
Vulnerable Libraries (28)
Severity | Details ----- | -------- Critical | [pkg:npm/execa@1.0.0@1.0.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L8768) (t) - **no patch available** High | [pkg:npm/async@2.6.3@2.6.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L6137) (t) upgrade to: *3.2.2,2.6.4* High | [pkg:npm/follow-redirects@1.13.3@1.13.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L9120) (t) upgrade to: *1.14.7* Critical | [pkg:npm/lodash@4.17.20@4.17.20](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10378) (t) - **no patch available** High | [pkg:npm/ansi-regex@4.1.0@4.1.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L5965) (t) - **no patch available** Critical | [pkg:npm/json-schema@0.2.3@0.2.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10192) (t) upgrade to: *0.4.0* Medium | [pkg:npm/browserslist@4.16.3@4.16.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L6571) (t) upgrade to: *4.16.5* High | [pkg:npm/glob-parent@5.1.1@5.1.1](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L9284) (t) upgrade to: *5.1.2* Medium | [pkg:npm/path-parse@1.0.6@1.0.6](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L11316) (t) upgrade to: *1.0.7* High | [pkg:npm/hosted-git-info@2.8.8@2.8.8](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L9471) (t) - **no patch available** High | [ansi-regex@4.1.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L5964) (t) upgrade to: *3.0.0 || >4.1.0 || 5.0.0* High | [async@2.6.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L6136) (t) upgrade to: *>2.6.3* Medium | [browserslist@4.16.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L6570) (t) upgrade to: *>4.16.4* High | [follow-redirects@1.13.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L9119) (t) upgrade to: *>1.14.7* Medium | [hosted-git-info@2.8.8](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L9470) (t) upgrade to: *>=2.8.9* Critical | [jsprim@1.4.1](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10224) (t) upgrade to: *>1.4.1 || >2.0.1* High | [lodash@4.17.20](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10377) (t) upgrade to: *>=4.17.21* Critical | [minimist@1.2.5](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10679) (t) upgrade to: *>=1.2.6* Medium | [path-parse@1.0.6](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L11315) (t) upgrade to: *>=1.0.7* High | [webpack@4.46.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L13466) (t) upgrade to: *>4.46.0* Medium | [browserslist@4.16.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/package-lock.json) (t) upgrade to: *>4.16.4* High | [follow-redirects@1.13.3](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/package-lock.json) (t) upgrade to: *>1.14.7* Critical | [shell-quote@1.7.2](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/package-lock.json) (t) upgrade to: *>1.7.2* High | [terser@4.8.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/package-lock.json) (t) upgrade to: *>=4.8.1* High | [webpack@4.46.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/package-lock.json) (t) upgrade to: *>4.46.0* Critical | [loader-utils@1.4.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10346) (t) upgrade to: *>1.4.1* High | [minimatch@3.0.4](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/apps/package-lock.json#L10670) (t) upgrade to: *>=3.0.5* Critical | [loader-utils@1.4.0](https://github.com/koromerzhin/template-vuejs/blob/ab22962ccabf627a2860439444eb31a9ac4335b1/package-lock.json) (t) upgrade to: *>1.4.1* More info on how to fix Vulnerable Libraries in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/using_vulnerable_libraries.html?utm_source=ghpr#).
π Go to the dashboard for detailed results.
π₯ Happy? Share your feedback with us.
This PR contains the following updates:
2.7.4->3.1.7GitHub Vulnerability Alerts
CVE-2022-29078
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.