We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi @Xiangshouding @2betop,I’d like to report several vulnerabilities
15 vulnerabilities (9 high, 4 medium and 2 low severity) are introduced in fis3.There are some examples: 1.Vulnerability npmjs-advisories-1464 (high severity) is detected in package lodash(versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 2.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash(versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746 3.Vulnerability CVE-2016-10540 (high severity) is detected in package minimatch(versions:<3.0.2):https://snyk.io/vuln/npm:minimatch:20160620 4.Vulnerability npmjs-advisories-1179 (low severity) is detected in package minimist(versions:>=0.0.0 <0.2.1,>=1.0.0 <1.2.3):https://www.npmjs.com/advisories/1179
The above vulnerable packages are referenced by fis3 via: In [email protected].* :[email protected] ➔ [email protected] [email protected] ➔ [email protected] ➔ [email protected] [email protected] ➔ [email protected] In [email protected].* :[email protected] ➔ [email protected] ➔ [email protected] [email protected] ➔ [email protected] In [email protected].* :In a similar way to 3.2.*
[email protected] ➔ [email protected]
[email protected] ➔ [email protected] ➔ [email protected]
In a similar way to 3.2.*
Since [email protected].* is transitively referenced by 123 downstream projects (e.g., stormrage 2.8.0 (latest version),fis3-client 1.6.352 (latest version), fep-cli 1.0.0 (latest version), atmjs 0.7.7 (latest version), pcat 2.9.2(latest version)),
[email protected].* is referenced by 2 downstream projects (fis273 1.2.3 (latest version), xiangha-fe 1.0.5 (latest version)),
[email protected].* is referenced by 2 downstream projects (fis-web-config 0.0.3 (latest version), feat-l 0.0.3 (latest version)),
If fis3 removes the vulnerabilities from the above versions, then its fixed versions can help downstream users decrease their pain.
Could you help update packages in these versions?
(1)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):
lodash 4.17.5 ➔ 4.17.21; Note: [email protected],(>=4.17.21) has fixed the vulnerabilities(e.g.,CVE-2021-23337,CVE-2020-8203,CVE-2018-16487)
lodash 4.17.5 ➔ 4.17.21
glob 5.0.3 ➔ 5.0.15; Note: [email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
glob 5.0.3 ➔ 5.0.15
minimist 1.1.1 ➔ 1.2.3; Note: [email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
minimist 1.1.1 ➔ 1.2.3
(2)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):
(3)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):
Thanks for your contributions to the npm ecosystem!
Best regards, Paimon
The text was updated successfully, but these errors were encountered:
Thanks
Sorry, something went wrong.
@xiangshouding Thanks for your understanding and help.
No branches or pull requests
Hi @Xiangshouding @2betop,I’d like to report several vulnerabilities
Issue
15 vulnerabilities (9 high, 4 medium and 2 low severity) are introduced in fis3.There are some examples:
1.Vulnerability npmjs-advisories-1464 (high severity) is detected in package lodash(versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
2.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash(versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746
3.Vulnerability CVE-2016-10540 (high severity) is detected in package minimatch(versions:<3.0.2):https://snyk.io/vuln/npm:minimatch:20160620
4.Vulnerability npmjs-advisories-1179 (low severity) is detected in package minimist(versions:>=0.0.0 <0.2.1,>=1.0.0 <1.2.3):https://www.npmjs.com/advisories/1179
The above vulnerable packages are referenced by fis3 via:
In [email protected].* :
[email protected] ➔ [email protected]
[email protected] ➔ [email protected] ➔ [email protected]
[email protected] ➔ [email protected]
In [email protected].* :
[email protected] ➔ [email protected] ➔ [email protected]
[email protected] ➔ [email protected]
In [email protected].* :
In a similar way to 3.2.*
Solution
Since [email protected].* is transitively referenced by 123 downstream projects (e.g., stormrage 2.8.0 (latest version),fis3-client 1.6.352 (latest version), fep-cli 1.0.0 (latest version), atmjs 0.7.7 (latest version), pcat 2.9.2(latest version)),
[email protected].* is referenced by 2 downstream projects (fis273 1.2.3 (latest version), xiangha-fe 1.0.5 (latest version)),
[email protected].* is referenced by 2 downstream projects (fis-web-config 0.0.3 (latest version), feat-l 0.0.3 (latest version)),
If fis3 removes the vulnerabilities from the above versions, then its fixed versions can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
(1)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):
lodash 4.17.5 ➔ 4.17.21
;Note:
[email protected],(>=4.17.21) has fixed the vulnerabilities(e.g.,CVE-2021-23337,CVE-2020-8203,CVE-2018-16487)
glob 5.0.3 ➔ 5.0.15
;Note:
[email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
minimist 1.1.1 ➔ 1.2.3
;Note:
[email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
(2)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):
glob 5.0.3 ➔ 5.0.15
;Note:
[email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
minimist 1.1.1 ➔ 1.2.3
;Note:
[email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
(3)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):
glob 5.0.3 ➔ 5.0.15
;Note:
[email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
minimist 1.1.1 ➔ 1.2.3
;Note:
[email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
Thanks for your contributions to the npm ecosystem!
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: