WS-2016-0036 (Low) detected in cli-0.6.6.tgz - autoclosed

[dev-mend-for-github-com[bot]]

WS-2016-0036 - Low Severity Vulnerability

Vulnerable Library - cli-0.6.6.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/htmlhint/node_modules/cli/package.json

Dependency Hierarchy: - grunt-htmlhint-0.9.13.tgz (Root Library) - htmlhint-0.9.13.tgz - jshint-2.8.0.tgz - :x: **cli-0.6.6.tgz** (Vulnerable Library)

Found in HEAD commit: 6a7f6548c41947cf09eca74a5bcaf78cd0bd209c

Found in base branch: main

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-08-16

URL: WS-2016-0036

CVSS 2 Score Details (1.9)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/node-js-libs/cli/commit/fd6bc4d2a901aabe0bb6067fbcc14a4fe3faa8b9

Release Date: 2016-08-16

Fix Resolution: 1.0.0

[dev-mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[dev-mend-for-github-com[bot]]

:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

[dev-mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.