Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (cz-conventional-changelog): 3.2.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26115
### Vulnerable Library - word-wrap-1.2.3.tgz
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Direct dependency fix Resolution (cz-conventional-changelog): 3.2.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3807
### Vulnerable Library - ansi-regex-3.0.0.tgz
Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json
Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/merge/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-28499
### Vulnerable Library - merge-1.2.1.tgzMerge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz
Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json
Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/merge/package.json
Dependency Hierarchy: - cz-conventional-changelog-3.2.0.tgz (Root Library) - commitizen-4.1.2.tgz - find-node-modules-2.0.0.tgz - :x: **merge-1.2.1.tgz** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsAll versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Publish Date: 2021-02-18
URL: CVE-2020-28499
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (cz-conventional-changelog): 3.2.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-26115
### Vulnerable Library - word-wrap-1.2.3.tgzWrap words to a specified length.
Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz
Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json
Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/word-wrap/package.json
Dependency Hierarchy: - cz-conventional-changelog-3.2.0.tgz (Root Library) - :x: **word-wrap-1.2.3.tgz** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsAll versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
Publish Date: 2023-06-22
URL: CVE-2023-26115
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-j8xg-fqg3-53r7
Release Date: 2023-06-22
Fix Resolution (word-wrap): 1.2.4
Direct dependency fix Resolution (cz-conventional-changelog): 3.2.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3807
### Vulnerable Library - ansi-regex-3.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json
Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/commitizen/node_modules/ansi-regex/package.json
Dependency Hierarchy: - cz-conventional-changelog-3.2.0.tgz (Root Library) - commitizen-4.1.2.tgz - inquirer-6.5.0.tgz - string-width-2.1.1.tgz - strip-ansi-4.0.0.tgz - :x: **ansi-regex-3.0.0.tgz** (Vulnerable Library)
Found in base branch: develop
### Vulnerability Detailsansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (cz-conventional-changelog): 3.2.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)