Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(release): v10.60.0 #17617

Merged
merged 1 commit into from
Sep 30, 2024

chore(release): v10.60.0

7ed61eb
Select commit
Loading
Failed to load commit list.
Merged

chore(release): v10.60.0 #17617

chore(release): v10.60.0
7ed61eb
Select commit
Loading
Failed to load commit list.
IBM Mend app / Mend Security Check failed Sep 30, 2024 in 11m 28s

Security Report

You have successfully remediated 6 vulnerabilities, but introduced 52 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2022-37601

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/loader-utils-npm-1.2.3-d5bb1b4e08-385407fc26.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> styled-jsx-5.0.0-beta.3.tgz

       -> ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Critical 9.8 loader-utils-1.2.3.tgz Upgrade to version: loader-utils - 1.4.1,2.0.3 None
CVE-2021-44906

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/minimist-npm-1.2.5-ced0e1f617-86706ce5b3.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> markdown-toc-1.2.0.tgz

     -> ❌ minimist-1.2.5.tgz (Vulnerable Library)

Critical 9.8 minimist-1.2.5.tgz Upgrade to version: minimist - 0.2.4,1.2.6 None
CVE-2023-45133

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/@babel-traverse-npm-7.17.0-2ad756de16-9b7de053d8.zip

Dependency Hierarchy:

-> eslint-config-carbon-2.12.0.tgz (Root Library)

   -> babel-eslint-10.1.0.tgz

     -> ❌ traverse-7.17.0.tgz (Vulnerable Library)

Critical 9.3 traverse-7.17.0.tgz Upgrade to version: @babel/traverse - 7.23.2 None
CVE-2024-42461

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/elliptic-npm-6.5.2-d5bae60fab-c4e6247db6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-sign-4.0.4.tgz

         -> ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Critical 9.1 elliptic-6.5.2.tgz Upgrade to version: elliptic - 6.5.7 None
CVE-2021-37713

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tar-npm-6.1.0-21d6116ed9-0638a405b6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-cipher-1.0.1.tgz

         -> evp_bytestokey-1.0.3.tgz

           -> node-gyp-7.1.2.tgz

             -> ❌ tar-6.1.0.tgz (Vulnerable Library)

High 8.2 tar-6.1.0.tgz Upgrade to version: tar - 4.4.18,5.0.10,6.1.9 None
CVE-2021-37712

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tar-npm-6.1.0-21d6116ed9-0638a405b6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-cipher-1.0.1.tgz

         -> evp_bytestokey-1.0.3.tgz

           -> node-gyp-7.1.2.tgz

             -> ❌ tar-6.1.0.tgz (Vulnerable Library)

High 8.2 tar-6.1.0.tgz Upgrade to version: tar - 4.4.18,5.0.10,6.1.9 None
CVE-2021-37701

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tar-npm-6.1.0-21d6116ed9-0638a405b6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-cipher-1.0.1.tgz

         -> evp_bytestokey-1.0.3.tgz

           -> node-gyp-7.1.2.tgz

             -> ❌ tar-6.1.0.tgz (Vulnerable Library)

High 8.2 tar-6.1.0.tgz Upgrade to version: tar - 4.4.16,5.0.8,6.1.7 None
CVE-2021-32804

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tar-npm-6.1.0-21d6116ed9-0638a405b6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-cipher-1.0.1.tgz

         -> evp_bytestokey-1.0.3.tgz

           -> node-gyp-7.1.2.tgz

             -> ❌ tar-6.1.0.tgz (Vulnerable Library)

High 8.2 tar-6.1.0.tgz Upgrade to version: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1 None
CVE-2021-32803

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tar-npm-6.1.0-21d6116ed9-0638a405b6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-cipher-1.0.1.tgz

         -> evp_bytestokey-1.0.3.tgz

           -> node-gyp-7.1.2.tgz

             -> ❌ tar-6.1.0.tgz (Vulnerable Library)

High 8.2 tar-6.1.0.tgz Upgrade to version: tar - 3.2.3, 4.4.15, 5.0.7, 6.1.2 None
CVE-2020-13822

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/elliptic-npm-6.5.2-d5bae60fab-c4e6247db6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-sign-4.0.4.tgz

         -> ❌ elliptic-6.5.2.tgz (Vulnerable Library)

High 7.7 elliptic-6.5.2.tgz Upgrade to version: v6.5.3 None
WS-2021-0152

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/color-string-npm-1.5.4-d923af493a-ae53f205d7.zip

Dependency Hierarchy:

-> themes-10.55.5.tgz (Root Library)

   -> color-3.1.3.tgz

     -> ❌ color-string-1.5.4.tgz (Vulnerable Library)

High 7.5 color-string-1.5.4.tgz Upgrade to version: color-string - 1.5.5 None
CVE-2024-4068

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/braces-npm-2.3.2-19cadb3384-e30dcb6aaf.zip

Dependency Hierarchy:

-> upgrade-10.17.2.tgz (Root Library)

   -> jscodeshift-0.13.1.tgz

     -> micromatch-3.1.10.tgz

       -> ❌ braces-2.3.2.tgz (Vulnerable Library)

High 7.5 braces-2.3.2.tgz Upgrade to version: braces - 3.0.3 None
CVE-2024-4068

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/braces-npm-3.0.2-782240b28a-e2a8e769a8.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> fast-glob-3.2.11.tgz

     -> micromatch-4.0.4.tgz

       -> ❌ braces-3.0.2.tgz (Vulnerable Library)

High 7.5 braces-3.0.2.tgz Upgrade to version: braces - 3.0.3 None
CVE-2024-37890

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/ws-npm-7.5.3-3a046a0b1a-423dc0d859.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> accessibility-checker-3.1.18.tgz

     -> puppeteer-5.4.1.tgz

       -> ❌ ws-7.5.3.tgz (Vulnerable Library)

High 7.5 ws-7.5.3.tgz Upgrade to version: ws - 5.2.4,6.2.3,7.5.10,8.17.1 None
CVE-2022-38900

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/decode-uri-component-npm-0.2.0-5bcc0f3597-f3749344ab.zip

Dependency Hierarchy:

-> upgrade-10.17.2.tgz (Root Library)

   -> jscodeshift-0.13.1.tgz

     -> micromatch-3.1.10.tgz

       -> snapdragon-0.8.2.tgz

         -> source-map-resolve-0.5.3.tgz

           -> ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

High 7.5 decode-uri-component-0.2.0.tgz Upgrade to version: decode-uri-component - 0.2.1 None
CVE-2022-37603

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/loader-utils-npm-1.2.3-d5bb1b4e08-385407fc26.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> styled-jsx-5.0.0-beta.3.tgz

       -> ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

High 7.5 loader-utils-1.2.3.tgz Upgrade to version: loader-utils - 1.4.2,2.0.4,3.2.1 None
CVE-2022-3517

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/minimatch-npm-3.0.4-6e76f51c23-66ac295f8a.zip

Dependency Hierarchy:

-> eslint-config-carbon-2.12.0.tgz (Root Library)

   -> eslint-plugin-import-2.25.3.tgz

     -> ❌ minimatch-3.0.4.tgz (Vulnerable Library)

High 7.5 minimatch-3.0.4.tgz Upgrade to version: minimatch - 3.0.5 None
CVE-2022-24999

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/qs-npm-6.5.2-dbf9d8386b-24af7b9928.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> accessibility-checker-3.1.18.tgz

     -> request-2.88.2.tgz

       -> ❌ qs-6.5.2.tgz (Vulnerable Library)

High 7.5 qs-6.5.2.tgz Upgrade to version: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3 None
CVE-2021-43803

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/next-npm-12.0.3-9304238c07-68be20fdc9.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> ❌ next-12.0.3.tgz (Vulnerable Library)

High 7.5 next-12.0.3.tgz Upgrade to version: next - 11.1.3,12.0.5 None
CVE-2021-3803

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/nth-check-npm-1.0.2-3f6d0d22eb-59e115fdd7.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> enzyme-3.11.0.tgz

     -> cheerio-1.0.0-rc.3.tgz

       -> css-select-1.2.0.tgz

         -> ❌ nth-check-1.0.2.tgz (Vulnerable Library)

High 7.5 nth-check-1.0.2.tgz Upgrade to version: nth-check - v2.0.1 None
CVE-2021-3777

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tmpl-npm-1.0.4-35b37c2875-72c9333504.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> jest-circus-27.4.6.tgz

     -> jest-snapshot-27.4.6.tgz

       -> jest-haste-map-27.4.6.tgz

         -> walker-1.0.7.tgz

           -> makeerror-1.0.11.tgz

             -> ❌ tmpl-1.0.4.tgz (Vulnerable Library)

High 7.5 tmpl-1.0.4.tgz Upgrade to version: tmpl - 1.0.5 None
CVE-2023-26159

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/follow-redirects-npm-1.14.1-e6bdc0f8e5-7381a55bdc.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> accessibility-checker-3.1.18.tgz

     -> chromedriver-91.0.1.tgz

       -> axios-0.21.1.tgz

         -> ❌ follow-redirects-1.14.1.tgz (Vulnerable Library)

High 7.3 follow-redirects-1.14.1.tgz Upgrade to version: follow-redirects - 1.15.4 None
CVE-2020-7774

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/y18n-npm-3.2.1-af8160320f-e359082da2.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> sassdoc-2.7.3.tgz

     -> sassdoc-theme-default-2.8.3.tgz

       -> nunjucks-3.2.0.tgz

         -> yargs-3.32.0.tgz

           -> ❌ y18n-3.2.1.tgz (Vulnerable Library)

High 7.3 y18n-3.2.1.tgz Upgrade to version: 3.2.2, 4.0.1, 5.0.5 None
CVE-2020-7774

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/y18n-npm-4.0.0-55cd797cc5-66e22d38bf.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> replace-in-file-6.1.0.tgz

     -> yargs-15.4.1.tgz

       -> ❌ y18n-4.0.0.tgz (Vulnerable Library)

High 7.3 y18n-4.0.0.tgz Upgrade to version: 3.2.2, 4.0.1, 5.0.5 None
CVE-2022-46175

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/json5-npm-2.2.0-da49dc7cb5-e88fc5274b.zip

Dependency Hierarchy:

-> babel-preset-carbon-0.2.0.tgz (Root Library)

   -> core-7.17.2.tgz

     -> ❌ json5-2.2.0.tgz (Vulnerable Library)

High 7.1 json5-2.2.0.tgz Upgrade to version: json5 - 2.2.2 None
CVE-2020-28498

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/elliptic-npm-6.5.2-d5bae60fab-c4e6247db6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-sign-4.0.4.tgz

         -> ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Medium 6.8 elliptic-6.5.2.tgz Upgrade to version: elliptic - 6.5.4 None
CVE-2024-28863

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/tar-npm-6.1.0-21d6116ed9-0638a405b6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-cipher-1.0.1.tgz

         -> evp_bytestokey-1.0.3.tgz

           -> node-gyp-7.1.2.tgz

             -> ❌ tar-6.1.0.tgz (Vulnerable Library)

Medium 6.5 tar-6.1.0.tgz Upgrade to version: tar - 6.2.1 None
CVE-2024-28849

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/follow-redirects-npm-1.14.1-e6bdc0f8e5-7381a55bdc.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> accessibility-checker-3.1.18.tgz

     -> chromedriver-91.0.1.tgz

       -> axios-0.21.1.tgz

         -> ❌ follow-redirects-1.14.1.tgz (Vulnerable Library)

Medium 6.5 follow-redirects-1.14.1.tgz Upgrade to version: follow-redirects - 1.15.6 None
CVE-2023-46234

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/browserify-sign-npm-4.0.4-1a79e14f9b-b1e6f6383f.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> ❌ browserify-sign-4.0.4.tgz (Vulnerable Library)

Medium 6.5 browserify-sign-4.0.4.tgz Upgrade to version: browserify-sign - 4.2.2 None
CVE-2022-0155

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/follow-redirects-npm-1.14.1-e6bdc0f8e5-7381a55bdc.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> accessibility-checker-3.1.18.tgz

     -> chromedriver-91.0.1.tgz

       -> axios-0.21.1.tgz

         -> ❌ follow-redirects-1.14.1.tgz (Vulnerable Library)

Medium 6.5 follow-redirects-1.14.1.tgz Upgrade to version: follow-redirects - v1.14.7 None
CVE-2020-11021

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/@actions-http-client-npm-1.0.6-b624868e85-ee3eafa28b.zip

Dependency Hierarchy:

-> @carbon/actions-add-review-labels-0.0.0.tgz (Root Library)

   -> github-2.1.1.tgz

     -> ❌ http-client-1.0.6.tgz (Vulnerable Library)

Medium 6.3 http-client-1.0.6.tgz Upgrade to version: 1.0.8 #16721
CVE-2024-47068

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/rollup-npm-2.67.2-23df7ee784-9aca5251ba.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> ❌ rollup-2.67.2.tgz (Vulnerable Library)

Medium 6.1 rollup-2.67.2.tgz Upgrade to version: rollup - 3.29.5,4.22.4 None
CVE-2023-2142

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/nunjucks-npm-3.2.0-772b1760b8-542d9de345.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> sassdoc-2.7.3.tgz

     -> sassdoc-theme-default-2.8.3.tgz

       -> ❌ nunjucks-3.2.0.tgz (Vulnerable Library)

Medium 6.1 nunjucks-3.2.0.tgz Upgrade to version: nunjucks - 3.2.4 None
CVE-2022-0235

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/node-fetch-npm-2.6.1-46c670dbc1-91075bedd5.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Medium 6.1 node-fetch-2.6.1.tgz Upgrade to version: node-fetch - 2.6.7,3.1.1 None
WS-2019-0424

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/elliptic-npm-6.5.2-d5bae60fab-c4e6247db6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-sign-4.0.4.tgz

         -> ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Medium 5.9 elliptic-6.5.2.tgz Upgrade to version: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;Romano.Vue - 1.0.1;org.webjars.npm:elliptic - 6.5.4,6.3.3;VueJS.NetCore - 1.1.1;elliptic - 6.5.3;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6 None
CVE-2022-23646

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/next-npm-12.0.3-9304238c07-68be20fdc9.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> ❌ next-12.0.3.tgz (Vulnerable Library)

Medium 5.9 next-12.0.3.tgz Upgrade to version: next - 12.1.0 None
CVE-2022-21721

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/next-npm-12.0.3-9304238c07-68be20fdc9.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> ❌ next-12.0.3.tgz (Vulnerable Library)

Medium 5.9 next-12.0.3.tgz Upgrade to version: next - 12.0.9 None
CVE-2024-42460

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/elliptic-npm-6.5.2-d5bae60fab-c4e6247db6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-sign-4.0.4.tgz

         -> ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Medium 5.3 elliptic-6.5.2.tgz Upgrade to version: elliptic - 6.5.7 None
CVE-2024-42459

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/elliptic-npm-6.5.2-d5bae60fab-c4e6247db6.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> crypto-browserify-3.12.0.tgz

       -> browserify-sign-4.0.4.tgz

         -> ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Medium 5.3 elliptic-6.5.2.tgz Upgrade to version: elliptic - 6.5.7 None
CVE-2024-4067

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/micromatch-npm-3.1.10-016e80c79d-ad226cba4d.zip

Dependency Hierarchy:

-> upgrade-10.17.2.tgz (Root Library)

   -> jscodeshift-0.13.1.tgz

     -> ❌ micromatch-3.1.10.tgz (Vulnerable Library)

Medium 5.3 micromatch-3.1.10.tgz Upgrade to version: micromatch - 4.0.8 None
CVE-2024-4067

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/micromatch-npm-4.0.4-9fdcbb7a0e-ef3d1c88e7.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> fast-glob-3.2.11.tgz

     -> ❌ micromatch-4.0.4.tgz (Vulnerable Library)

Medium 5.3 micromatch-4.0.4.tgz Upgrade to version: micromatch - 4.0.8 None
CVE-2023-44270

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/postcss-npm-7.0.39-0f8737296e-4ac793f506.zip

Dependency Hierarchy:

-> stylelint-config-carbon-1.9.0.tgz (Root Library)

   -> stylelint-config-idiomatic-order-8.1.0.tgz

     -> stylelint-order-3.1.1.tgz

       -> ❌ postcss-7.0.39.tgz (Vulnerable Library)

Medium 5.3 postcss-7.0.39.tgz Upgrade to version: postcss - 8.4.31 None
CVE-2023-44270

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/postcss-npm-8.4.6-c2574c0171-60e7808f39.zip

Dependency Hierarchy:

-> stylelint-config-carbon-1.9.0.tgz (Root Library)

   -> stylelint-no-unsupported-browser-features-5.0.2.tgz

     -> ❌ postcss-8.4.6.tgz (Vulnerable Library)

Medium 5.3 postcss-8.4.6.tgz Upgrade to version: postcss - 8.4.31 None
CVE-2023-44270

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/postcss-npm-8.2.15-8a34d0d953-07c309e531.zip

Dependency Hierarchy:

-> www-0.12.0.tgz (Root Library)

   -> next-12.0.3.tgz

     -> ❌ postcss-8.2.15.tgz (Vulnerable Library)

Medium 5.3 postcss-8.2.15.tgz Upgrade to version: postcss - 8.4.31 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/semver-npm-6.3.0-b3eace8bfd-1b26ecf6db.zip

Dependency Hierarchy:

-> eslint-config-carbon-2.12.0.tgz (Root Library)

   -> eslint-plugin-react-7.27.1.tgz

     -> ❌ semver-6.3.0.tgz (Vulnerable Library)

Medium 5.3 semver-6.3.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/semver-npm-7.3.5-618cf5db6a-5eafe6102b.zip

Dependency Hierarchy:

-> eslint-config-carbon-2.12.0.tgz (Root Library)

   -> eslint-plugin-jsdoc-37.9.4.tgz

     -> ❌ semver-7.3.5.tgz (Vulnerable Library)

Medium 5.3 semver-7.3.5.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25883

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/semver-npm-7.0.0-218e8c00ca-272c11bf8d.zip

Dependency Hierarchy:

-> babel-preset-carbon-0.2.0.tgz (Root Library)

   -> preset-env-7.16.7.tgz

     -> core-js-compat-3.20.3.tgz

       -> ❌ semver-7.0.0.tgz (Vulnerable Library)

Medium 5.3 semver-7.0.0.tgz Upgrade to version: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2 None
CVE-2022-25881

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/http-cache-semantics-npm-4.1.0-860520a31f-974de94a81.zip

Dependency Hierarchy:

-> cli-10.34.4.tgz (Root Library)

   -> sassdoc-2.7.3.tgz

     -> update-notifier-4.1.3.tgz

       -> latest-version-5.1.0.tgz

         -> package-json-6.5.0.tgz

           -> got-9.6.0.tgz

             -> cacheable-request-6.1.0.tgz

               -> ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Medium 5.3 http-cache-semantics-4.1.0.tgz Upgrade to version: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1 None
CVE-2021-29060

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/color-string-npm-1.5.4-d923af493a-ae53f205d7.zip

Dependency Hierarchy:

-> themes-10.55.5.tgz (Root Library)

   -> color-3.1.3.tgz

     -> ❌ color-string-1.5.4.tgz (Vulnerable Library)

Medium 5.3 color-string-1.5.4.tgz Upgrade to version: color-string - 1.5.5 None
CVE-2022-35954

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/@actions-core-npm-1.2.3-8989846210-61ca1973ae.zip

Dependency Hierarchy:

-> @carbon/actions-add-review-labels-0.0.0.tgz (Root Library)

   -> ❌ core-1.2.3.tgz (Vulnerable Library)

Medium 5.0 core-1.2.3.tgz Upgrade to version: @actions/core - 1.9.1 #16721
CVE-2020-15228

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/@actions-core-npm-1.2.3-8989846210-61ca1973ae.zip

Dependency Hierarchy:

-> @carbon/actions-add-review-labels-0.0.0.tgz (Root Library)

   -> ❌ core-1.2.3.tgz (Vulnerable Library)

Low 3.5 core-1.2.3.tgz Upgrade to version: 1.2.6 #16721
CVE-2022-0536

Path to dependency file: /package.json

Path to vulnerable library: /.yarn/cache/follow-redirects-npm-1.14.1-e6bdc0f8e5-7381a55bdc.zip

Dependency Hierarchy:

-> jest-config-carbon-0.13.1.tgz (Root Library)

   -> accessibility-checker-3.1.18.tgz

     -> chromedriver-91.0.1.tgz

       -> axios-0.21.1.tgz

         -> ❌ follow-redirects-1.14.1.tgz (Vulnerable Library)

Low 2.6 follow-redirects-1.14.1.tgz Upgrade to version: follow-redirects - 1.14.8 None

✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2024-46982 next-14.2.5.tgz
CVE-2024-47068 rollup-2.79.1.tgz
CVE-2024-46982 next-14.1.1.tgz
CVE-2024-37890 ws-8.5.0.tgz
CVE-2024-28863 tar-6.1.15.tgz
CVE-2023-26136 tough-cookie-4.0.0.tgz

Base branch total remaining vulnerabilities: 31
Base branch commit: 00fe911f646de0540d803b0949cf1f16b075483c


Total libraries scanned: 1418

Scan token: 3e9fd324eb9c40f78fa2d4bef6faef73

View more details on IBM Mend app