chore: package-lock update #879
Conversation
breautek
requested review from
timbru31,
erisu,
NiklasMerz and
PieterVanPoyer
Codecov Report
@@ Coverage Diff @@
## master #879 +/- ##
=======================================
Coverage 91.13% 91.13%
=======================================
Files 45 45
Lines 2053 2053
=======================================
Hits 1871 1871
Misses 182 182 Continue to review full report at Codecov.
|
There was a problem hiding this comment.
I just checked package.json again and found out all URLs point to a totalpave registry: https://registry.totalpave.com
@breautek Please rebuild package-lock.json again with the NPM registry setup.
Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.
Will the older npm versions on older node versions on GHA properly handle the updated lockfile format? |
Argh! Oops! That's work stuff bleeding in... ill fix it when i get home |
Npm will still work with a message that "it will try its best". But not really sure what that means exactly. |
|
@NiklasMerz do you think there would be pushback if we start adding .npmrc configs to our cordova repos to re-assert npm registry is npms official registry? Would avoid mistakes like this in the future by having a project level npm config. |
breautek
force-pushed
the
pkg-lock-update
branch
from
f09df85
to
96309ed
Compare
|
Set my registry back to |
|
Mostly we should not be committing package-lock, except for the cli itself ... am I missing something? |
|
Package-lock is intended to be committed, as it ensures that two developers on two different machines will install the exact same dependencies when they run npm install. Not to be confused when users are using this package as a library, in which case their root package-lock is used. From NPM: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json
|
|
This sums up what I think ... |
|
There was a consensus back in 2018 via apache/cordova#4 (comment) to add package-locks, which is why variety of our packages have package-locks. If you ask my personal opinion on package-locks, I hate them, mostly for the reasons described by sindresorhus. However, not committing them still presents the same issues described by sindresorhus, unless we (the maintainers) are constantly wiping the package-lock & node_modules and reinstalling from scratch. We could configure NPM via
Despite it's flaws I think the benefits of package-lock still outweighs the consequences of not committing/disabling package-lock. |
|
Okay, yeah that makes sense. |
Platforms affected
Motivation and Context
Resolves several sub-dependency vulnerabilities
Audit JSON Log
{ "actions": [ { "isMajor": true, "action": "install", "resolves": [ { "id": 1677, "path": "init-package-json>npm-package-arg>hosted-git-info", "dev": false, "optional": false, "bundled": false }, { "id": 1677, "path": "init-package-json>read-package-json>normalize-package-data>hosted-git-info", "dev": false, "optional": false, "bundled": false } ], "module": "init-package-json", "target": "2.0.5" }, { "action": "update", "resolves": [ { "id": 1556, "path": "codecov>teeny-request>node-fetch", "dev": true, "optional": false, "bundled": false } ], "module": "node-fetch", "target": "2.6.2", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1654, "path": "nyc>yargs>y18n", "dev": true, "optional": false, "bundled": false } ], "module": "y18n", "target": "4.0.3", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1673, "path": "cordova-common>@netflix/nerror>lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1673, "path": "cordova-fetch>cordova-common>@netflix/nerror>lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1673, "path": "cordova-android>cordova-common>@netflix/nerror>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>table>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>table>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>lodash", "dev": true, "optional": false, "bundled": false } ], "module": "lodash", "target": "4.17.21", "depth": 10 }, { "action": "update", "resolves": [ { "id": 1674, "path": "cordova-common>underscore", "dev": false, "optional": false, "bundled": false }, { "id": 1674, "path": "cordova-fetch>cordova-common>underscore", "dev": false, "optional": false, "bundled": false }, { "id": 1674, "path": "cordova-android>cordova-common>underscore", "dev": true, "optional": false, "bundled": false } ], "module": "underscore", "target": "1.13.1", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1677, "path": "cordova-fetch>npm-package-arg>hosted-git-info", "dev": false, "optional": false, "bundled": false } ], "module": "hosted-git-info", "target": "3.0.8", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1751, "path": "cordova-common>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "cordova-fetch>cordova-common>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "cordova-android>cordova-common>fast-glob>glob-parent", "dev": true, "optional": false, "bundled": false }, { "id": 1751, "path": "globby>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "@cordova/eslint-config>eslint>glob-parent", "dev": true, "optional": false, "bundled": false }, { "id": 1751, "path": "rewire>eslint>glob-parent", "dev": true, "optional": false, "bundled": false } ], "module": "glob-parent", "target": "5.1.2", "depth": 4 }, { "action": "update", "resolves": [ { "id": 1773, "path": "cordova-fetch>resolve>path-parse", "dev": false, "optional": false, "bundled": false }, { "id": 1773, "path": "init-package-json>read-package-json>normalize-package-data>resolve>path-parse", "dev": false, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse", "dev": true, "optional": false, "bundled": false } ], "module": "path-parse", "target": "1.0.7", "depth": 7 }, { "action": "review", "module": "xmldom", "resolves": [ { "id": 1650, "path": "cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1650, "path": "cordova-fetch>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1650, "path": "cordova-android>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-fetch>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-android>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false } ] }, { "action": "review", "module": "hosted-git-info", "resolves": [ { "id": 1677, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info", "dev": true, "optional": false, "bundled": false } ] } ], "advisories": { "1556": { "findings": [ { "version": "2.6.0", "paths": [ "codecov>teeny-request>node-fetch" ] } ], "id": 1556, "created": "2020-09-10T17:55:53.926Z", "updated": "2020-09-10T17:55:53.926Z", "deleted": null, "title": "Denial of Service", "found_by": { "link": "", "name": "Unknown", "email": "" }, "reported_by": { "link": "", "name": "Unknown", "email": "" }, "module_name": "node-fetch", "cves": [ "CVE-2020-15168" ], "vulnerable_versions": "< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9", "patched_versions": ">=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9", "overview": "Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n\nFor most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.", "recommendation": "Upgrade to version 2.6.1 or 3.0.0-beta.9", "references": "- https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r", "access": "public", "severity": "low", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1556" }, "1650": { "findings": [ { "version": "0.1.31", "paths": [ "cordova-common>plist>xmldom", "cordova-fetch>cordova-common>plist>xmldom", "cordova-android>cordova-common>plist>xmldom" ] } ], "id": 1650, "created": "2021-03-12T22:42:38.486Z", "updated": "2021-03-12T22:42:38.486Z", "deleted": null, "title": "Misinterpretation of malicious XML input", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "xmldom", "cves": [ "CVE-2021-21366" ], "vulnerable_versions": "<0.5.0", "patched_versions": ">=0.5.0", "overview": "### Impact\n\n`xmldom` versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.\n\nThis may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.", "recommendation": "Update to 0.5.0 or later", "references": "- [GitHub Security Advisory](https://github.com/advisories/GHSA-h6q6-9hqw-rwfv)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21366)\n- [Similar advisory for Go standard library](https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/)", "access": "public", "severity": "low", "cwe": "CWE-115", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1650" }, "1654": { "findings": [ { "version": "4.0.0", "paths": [ "nyc>yargs>y18n" ] } ], "id": 1654, "created": "2021-03-12T23:16:43.813Z", "updated": "2021-03-29T16:07:59.314Z", "deleted": null, "title": "Prototype Pollution", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "y18n", "cves": [ "CVE-2020-7774" ], "vulnerable_versions": "<3.2.2||=4.0.0||>=5.0.0 <5.0.5", "patched_versions": ">=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0", "overview": "`y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n```\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```", "recommendation": "Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7774)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-Y18N-1021887)", "access": "public", "severity": "high", "cwe": "CWE-1321", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1654" }, "1673": { "findings": [ { "version": "4.17.19", "paths": [ "cordova-common>@netflix/nerror>lodash", "cordova-fetch>cordova-common>@netflix/nerror>lodash", "cordova-android>cordova-common>@netflix/nerror>lodash", "@cordova/eslint-config>eslint>inquirer>lodash", "rewire>eslint>inquirer>lodash", "@cordova/eslint-config>eslint>lodash", "rewire>eslint>lodash", "@cordova/eslint-config>eslint>table>lodash", "rewire>eslint>table>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash", "nyc>istanbul-lib-instrument>@babel/core>lodash" ] } ], "id": 1673, "created": "2021-05-06T16:14:39.514Z", "updated": "2021-05-06T16:24:12.299Z", "deleted": null, "title": "Command Injection", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "lodash", "cves": [ "CVE-2021-23337" ], "vulnerable_versions": "<4.17.21", "patched_versions": ">=4.17.21", "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "recommendation": "Upgrade to version 4.17.21 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)", "access": "public", "severity": "high", "cwe": "CWE-77", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1673" }, "1674": { "findings": [ { "version": "1.10.2", "paths": [ "cordova-common>underscore", "cordova-fetch>cordova-common>underscore", "cordova-android>cordova-common>underscore" ] } ], "id": 1674, "created": "2021-05-06T16:14:45.792Z", "updated": "2021-05-06T16:26:42.768Z", "deleted": null, "title": "Arbitrary Code Execution", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "underscore", "cves": [ "CVE-2021-23358" ], "vulnerable_versions": ">=1.3.2 <1.12.1", "patched_versions": ">=1.12.1", "overview": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", "recommendation": "Upgrade to versions 1.12.1 or 1.13.0-2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23358)\n- [GitHub Advisory](https://github.com/advisories/GHSA-cf4h-3jhx-xvhq)\n", "access": "public", "severity": "high", "cwe": "CWE-94", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1674" }, "1677": { "findings": [ { "version": "3.0.5", "paths": [ "cordova-fetch>npm-package-arg>hosted-git-info" ] }, { "version": "2.8.8", "paths": [ "init-package-json>npm-package-arg>hosted-git-info" ] }, { "version": "2.8.8", "paths": [ "init-package-json>read-package-json>normalize-package-data>hosted-git-info", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info" ] } ], "id": 1677, "created": "2021-05-06T16:15:08.412Z", "updated": "2021-05-07T17:41:14.327Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "hosted-git-info", "cves": [ "CVE-2021-23362" ], "vulnerable_versions": "<2.8.9 || >=3.0.0 <3.0.8", "patched_versions": ">=2.8.9 <3.0.0 || >=3.0.8", "overview": "`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity", "recommendation": "Upgrade to version 3.0.8 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1677" }, "1751": { "findings": [ { "version": "5.1.1", "paths": [ "cordova-common>fast-glob>glob-parent", "cordova-fetch>cordova-common>fast-glob>glob-parent", "cordova-android>cordova-common>fast-glob>glob-parent", "globby>fast-glob>glob-parent", "@cordova/eslint-config>eslint>glob-parent", "rewire>eslint>glob-parent" ] } ], "id": 1751, "created": "2021-06-07T21:57:10.135Z", "updated": "2021-06-07T21:58:07.745Z", "deleted": null, "title": "Regular expression denial of service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "glob-parent", "cves": [ "CVE-2020-28469" ], "vulnerable_versions": "<5.1.2", "patched_versions": ">=5.1.2", "overview": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.", "recommendation": "Upgrade to version 5.1.2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1751" }, "1769": { "findings": [ { "version": "0.1.31", "paths": [ "cordova-common>plist>xmldom", "cordova-fetch>cordova-common>plist>xmldom", "cordova-android>cordova-common>plist>xmldom" ] } ], "id": 1769, "created": "2021-08-03T16:57:27.020Z", "updated": "2021-08-03T16:57:57.748Z", "deleted": null, "title": "Misinterpretation of malicious XML input", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "xmldom", "cves": [ "CVE-2021-32796" ], "vulnerable_versions": "<0.7.0", "patched_versions": ">=0.7.0", "overview": "### Impact\nxmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Patches\nUpdate to 0.7.0\n(see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it's resolved)\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)\n* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`\n", "recommendation": "Upgrade to version 0.7.0 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32796)\n- [GitHub Advisory](https://github.com/advisories/GHSA-5fg8-2547-mr8q)\n", "access": "public", "severity": "moderate", "cwe": "CWE-116", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1769" }, "1773": { "findings": [ { "version": "1.0.6", "paths": [ "cordova-fetch>resolve>path-parse", "init-package-json>read-package-json>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse" ] } ], "id": 1773, "created": "2021-08-10T15:59:47.884Z", "updated": "2021-08-10T16:00:43.559Z", "deleted": null, "title": "Regular Expression Denial of Service in path-parse", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "path-parse", "cves": [ "CVE-2021-23343" ], "vulnerable_versions": "<1.0.7", "patched_versions": ">=1.0.7", "overview": "Affected versions of `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", "recommendation": "Upgrade to version 1.0.7 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23343)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hj48-42vr-x3v9)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1773" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 20, "high": 50, "critical": 0 }, "dependencies": 196, "devDependencies": 310, "optionalDependencies": 0, "totalDependencies": 506 }, "runId": "24f0391a-5957-4d0e-b2b1-e4fde692a0df" }Description
Testing
Checklist
(platform)if this change only applies to one platform (e.g.(android))