search

xinYG / bootstrap-timepicker

[Deprecated] A simple timepicker component for Twitter Bootstrap
MIT License
0 stars 0 forks source link

WS-2018-0075 (Medium) detected in concat-stream-1.5.0.tgz - autoclosed #38

Closed mend-for-github-com[bot] closed 3 years ago

mend-for-github-com[bot] commented 4 years ago

WS-2018-0075 - Medium Severity Vulnerability

Vulnerable Library - concat-stream-1.5.0.tgz

writable stream that concatenates strings or binary data and calls a callback with the result

Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz

Path to dependency file: /tmp/ws-scm/bootstrap-timepicker/package.json

Path to vulnerable library: /tmp/ws-scm/bootstrap-timepicker/node_modules/concat-stream/package.json

Dependency Hierarchy: - grunt-contrib-jasmine-0.4.2.tgz (Root Library) - grunt-lib-phantomjs-0.3.1.tgz - phantomjs-1.9.20.tgz - extract-zip-1.5.0.tgz - :x: **concat-stream-1.5.0.tgz** (Vulnerable Library)

Found in HEAD commit: c92f0918f68b35842a2bf5ae212e5d75e70546e5

Vulnerability Details

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write() Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Publish Date: 2018-04-25

URL: WS-2018-0075

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/597

Release Date: 2018-01-27

Fix Resolution: 1.5.2

mend-for-github-com[bot] commented 3 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.