Command injection in simple-git
Library: simple-git
Affected versions: <3.3.0
Severity: high
Fix: :x: 3.15.1
Root Libraries:
:x: simple-git <=3.4.0. Fixed in 3.15.1
You can wait for the next updates with a full fix or merge immediately.
In case of closing this PR, it will be recreated. If that's undesired, modify config.
This PR fixes some of found vulnerabilities.
Fixed 6 of 19 npm vulnerabilities. 13 issues left. Success Rate: 31.6%
Vulnerabilities:
Inefficient Regular Expression Complexity in chalk/ansi-regex Library:
ansi-regex
Affected versions:>=3.0.0 <3.0.1
Severity: high Fix: :heavy_check_mark:true
Root Libraries:decode-uri-component vulnerable to Denial of Service (DoS) Library:
decode-uri-component
Affected versions:<=0.2.0
Severity: low Fix: :x:11.2.0
Root Libraries:danger 8.0.0-alpha-1 - 11.1.3
. Fixed in11.2.0
ejs template injection vulnerability Library:
ejs
Affected versions:<3.1.7
Severity: critical Fix: :x:3.11.1
Root Libraries:ejs <3.1.7
. Fixed in3.11.1
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects Library:
follow-redirects
Affected versions:<1.14.8
Severity: moderate Fix: :heavy_check_mark:true
Root Libraries:minimatch ReDoS vulnerability Library:
minimatch
Affected versions:<3.0.5
Severity: high Fix: :x:true
Root Libraries:mocha 5.1.0 - 9.2.1
. Fixed intrue
Prototype Pollution in minimist Library:
minimist
Affected versions:<1.2.6
Severity: critical Fix: :heavy_check_mark:true
Root Libraries:Path Traversal: 'dir/../../filename' in moment.locale Library:
moment
Affected versions:<2.29.2
Severity: high Fix: :heavy_check_mark:true
Root Libraries:Command Injection in moment-timezone Library:
moment-timezone
Affected versions:>=0.1.0 <0.5.35
Severity: low Fix: :heavy_check_mark:true
Root Libraries:Packing does not respect root-level ignore files in workspaces Library:
npm
Affected versions:>=7.9.0 <8.11.0
Severity: high Fix: :heavy_check_mark:true
Root Libraries:Authorization Bypass in parse-path Library:
parse-path
Affected versions:<5.0.0
Severity: high Fix: :x:true
Root Libraries:Cross site scripting in parse-url Library:
parse-url
Affected versions:<6.0.1
Severity: moderate Fix: :heavy_check_mark:true
Root Libraries:Exposure of Sensitive Information to an Unauthorized Actor in semantic-release Library:
semantic-release
Affected versions:>=17.0.4 <19.0.3
Severity: moderate Fix: :heavy_check_mark:true
Root Libraries:semantic-release 17.0.4 - 19.0.2
. Fixed intrue
Regular expression denial of service in semver-regex Library:
semver-regex
Affected versions:<3.1.4
Severity: low Fix: :heavy_check_mark:true
Root Libraries:Command injection in simple-git Library:
simple-git
Affected versions:<3.3.0
Severity: high Fix: :x:3.15.1
Root Libraries:simple-git <=3.4.0
. Fixed in3.15.1
You can wait for the next updates with a full fix or merge immediately. In case of closing this PR, it will be recreated. If that's undesired, modify config.
This change is