Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/package.json
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (12 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/git_dependency_local_file/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_dependency_local_file/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/git_dependency_local_file/node_modules/minimist/package.json
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/resolution_specified/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/json-schema/package.json,/npm_and_yarn/helpers/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_yarn/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_npm/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/json-schema/package.json
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10744
### Vulnerable Libraries - lodash-4.17.5.tgz, lodash-4.17.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/lodash,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/lodash,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/js-yaml,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/js-yaml/package.json
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/package.json
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/https-proxy-agent
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/js-yaml,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/js-yaml/package.json
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/body-parser,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/body-parser
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/path-to-regexp,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/path-to-regexp
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm6/multiple_sources/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_switch/node_modules/minimatch,/npm_and_yarn/helpers/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimatch/package.json
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_npm/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/qs,/npm_and_yarn/helpers/node_modules/npm/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/qs,/npm_and_yarn/helpers/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/qs/package.json
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - graphql-cli-3.0.3.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
### Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz### minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/git_dependency_local_file/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_dependency_local_file/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/git_dependency_local_file/node_modules/minimist/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - update-notifier-2.5.0.tgz - latest-version-3.1.0.tgz - package-json-4.0.1.tgz - registry-auth-token-3.3.2.tgz - rc-1.2.7.tgz - :x: **minimist-1.2.0.tgz** (Vulnerable Library) ### minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/resolution_specified/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - mkdirp-0.5.1.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (graphql-cli): 3.0.4
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-3918
### Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/json-schema/package.json,/npm_and_yarn/helpers/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_yarn/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_npm/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/json-schema/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - request-2.88.0.tgz - http-signature-1.2.0.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsjson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-10744
### Vulnerable Libraries - lodash-4.17.5.tgz, lodash-4.17.11.tgz### lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/lodash
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - graphql-cli-prepare-1.4.19.tgz - :x: **lodash-4.17.5.tgz** (Vulnerable Library) ### lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/lodash,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/lodash,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - :x: **lodash-4.17.11.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-25
URL: CVE-2019-10744
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-25
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2019-0063
### Vulnerable Library - js-yaml-3.12.0.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/js-yaml,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/js-yaml/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - :x: **js-yaml-3.12.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsJs-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2018-0107
### Vulnerable Library - open-0.0.5.tgzopen a file or url in the user's preferred application
Library home page: https://registry.npmjs.org/open/-/open-0.0.5.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/open
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - graphql-cli-prepare-1.4.19.tgz - graphql-static-binding-0.9.3.tgz - cucumber-html-reporter-3.0.4.tgz - :x: **open-0.0.5.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAll versions of open are vulnerable to command injection when unsanitized user input is passed in.
Publish Date: 2018-05-16
URL: WS-2018-0107
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0107
Release Date: 2018-01-27
Fix Resolution (open): 6.0.0
Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-43138
### Vulnerable Library - async-2.6.1.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - express-request-proxy-2.2.2.tgz - :x: **async-2.6.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2019-0310
### Vulnerable Library - https-proxy-agent-2.2.1.tgzAn HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/https-proxy-agent
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - graphql-config-extension-prisma-0.2.5.tgz - prisma-yml-1.20.0-beta.18.tgz - :x: **https-proxy-agent-2.2.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Details"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-10-07
URL: WS-2019-0310
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-10-07
Fix Resolution (https-proxy-agent): 2.2.3
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2019-0032
### Vulnerable Library - js-yaml-3.12.0.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/js-yaml,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/js-yaml/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - :x: **js-yaml-3.12.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsVersions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2024-45590
### Vulnerable Library - body-parser-1.18.3.tgzNode.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/body-parser,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/body-parser
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - express-4.16.4.tgz - :x: **body-parser-1.18.3.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsbody-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
Publish Date: 2024-09-10
URL: CVE-2024-45590
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
Release Date: 2024-09-10
Fix Resolution: body-parser - 1.20.3
CVE-2024-45296
### Vulnerable Libraries - path-to-regexp-0.1.7.tgz, path-to-regexp-1.7.0.tgz### path-to-regexp-0.1.7.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/path-to-regexp,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/path-to-regexp
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - express-4.16.4.tgz - :x: **path-to-regexp-0.1.7.tgz** (Vulnerable Library) ### path-to-regexp-1.7.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.7.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/path-to-regexp
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - express-request-proxy-2.2.2.tgz - :x: **path-to-regexp-1.7.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailspath-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution (path-to-regexp): 0.1.10
Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8
Fix Resolution (path-to-regexp): 0.1.10
Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-3517
### Vulnerable Library - minimatch-3.0.4.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm6/multiple_sources/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_switch/node_modules/minimatch,/npm_and_yarn/helpers/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimatch/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - graphql-schema-linter-0.1.6.tgz - glob-7.1.2.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2022-24999
### Vulnerable Library - qs-6.5.2.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_npm/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/qs,/npm_and_yarn/helpers/node_modules/npm/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/qs,/npm_and_yarn/helpers/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/qs/package.json
Dependency Hierarchy: - graphql-cli-3.0.3.tgz (Root Library) - request-2.88.0.tgz - :x: **qs-6.5.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (graphql-cli): 3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.