bit

bit copied to clipboard

Reame
Issues

chore(bit): update deps that have vulnerabilities

Open luvkapur opened this issue 1 year ago • 0 comments

Vulnerability Report

Summary

Total vulnerabilities: 72

CRITICAL: 13
HIGH: 21
MEDIUM: 35
LOW: 3

Detailed Report

CRITICAL Severity Vulnerabilities

Library	Vulnerability ID	Installed Version	Fixed Version	Title	Status	Progress
ejs	CVE-2022-29078	2.7.4	3.1.7	Server-side template injection in outputFunctionName	Fixed	✅
hermes-engine	CVE-2021-24037	0.7.2	0.8.0	Use After Free in Hermes	No	✅
	CVE-2021-24044		0.10.0	Access of Resource Using Incompatible Type in Hermes	No	[ ]
json-schema	CVE-2021-3918	0.3.0	0.4.0	Prototype pollution vulnerability	No	[ ]
minimist	CVE-2021-44906	0.0.10	1.2.6, 0.2.4	Prototype pollution	No	[ ]
shell-quote	CVE-2021-42740	1.6.1	1.7.3	Command injection vulnerability	No	[ ]
url-parse	CVE-2022-0686	1.4.7	1.5.8	Authorization bypass through user-controlled key	No	✅ fixed as part of https://bit.cloud/teambit/ui-foundation/~change-requests/bump-url-parse-dependents
	CVE-2022-0691			Authorization bypass through user-controlled key	No	✅ fixed as part of https://bit.cloud/teambit/ui-foundation/~change-requests/bump-url-parse-dependents

HIGH Severity Vulnerabilities

Library	Vulnerability ID	Installed Version	Fixed Version	Title	Status	Progress
apollo-server	GHSA-qm7x-rc44-rrqw	2.19.2	2.25.3, 3.4.1	Cross-site Scripting Vulnerability in GraphQL Playground	Fixed	✅ fixed as part of https://github.com/teambit/bit/pull/8753
aws-sdk	CVE-2020-28472	2.756.0	2.814.0	Prototype Pollution via file load	No	✅
d3-color	GHSA-36jr-mh4h-2g58	2.0.0	3.1.0	Vulnerable to ReDoS	No	[ ]
dicer	CVE-2022-24434	0.3.0	None	Nodejs service crash by sending a crafted payload	No	[ ]
immer	CVE-2021-3757	8.0.1	None	Prototype pollution may lead to DoS or remote code execution	No	[ ]
loader-utils	CVE-2022-37599	2.0.0	1.4.2, 2.0.4, 3.2.1	Regular expression denial of service in interpolateName.js	No	[ ]
lodash	CVE-2021-23337	4.17.20	None	Command injection via template	No	[ ]
qs	CVE-2022-24999	6.7.0	6.10.3, 6.9.7, etc.	"qs" prototype poisoning causes the hang of the node process	No	[ ]
shelljs	CVE-2022-0144	0.3.0	0.8.5	Improper privilege management	No	[ ]
trim	CVE-2020-7753	0.0.1	0.0.3	Regular Expression Denial of Service (ReDoS) in trim function	Fixed	[ ]
webpack-dev-middleware	CVE-2024-29180	5.3.3	7.1.0, 6.1.2, 5.3.4	Lack of URL validation may lead to file leak	Fixed	[ ]
ws	CVE-2021-32640	7.4.2	7.4.6, 6.2.2, 5.2.3	Specially crafted value of `Sec-Websocket-Protocol` header used	No	✅ fixed as part of https://github.com/teambit/bit/pull/8753

MEDIUM Severity Vulnerabilities

Library	Vulnerability ID	Installed Version	Fixed Version	Title	Status	Progress
apollo-server	GHSA-2p3c-p3qw-69r4		2.25.4	CSRF vulnerability in graphql-upload library	No	✅ fixed as part of https://github.com/teambit/bit/pull/8753
bl	CVE-2020-8244	1.1.2	1.2.3, 2.2.1, 3.0.1, 4.0.3	Buffer over-read leads to corrupted BufferList	No	[ ]
browserslist	CVE-2021-23364	4.14.2	4.16.5	Parsing of invalid queries could lead to RegEx Denial of Service	No	[ ]
express	CVE-2024-29041	4.17.1	4.19.2, 5.0.0-beta.3	Express.js versions are vulnerable to unknown issue	No
got	CVE-2022-33987	6.7.1	12.1.0, 11.8.5	Missing verification of requested URLs allows redirects to UNIX sockets	No	[ ]
lodash	CVE-2020-28500		4.17.21	ReDoS via the toNumber, trim and trimEnd functions	No	[ ]
postcss	CVE-2023-44270	8.4.18	8.4.31	An issue discovered in PostCSS before 8.4.31	No	[ ]
request	CVE-2023-28155	2.88.2	None	Allows a bypass of SSRF protection	No	[ ]
ws	GHSA-64g7-mvw6-v9qj			Improper Privilege Management in shelljs	No	[ ]

LOW Severity Vulnerabilities

Library	Vulnerability ID	Installed Version	Fixed Version	Title	Status	Progress
es5-ext	CVE-2024-27088	0.10.62	0.10.63	ECMAScript 5 extensions can lead to functions with very...	No	[ ]
node-fetch	CVE-2020-15168		2.6.1, 3.0.0-beta.9	Size of data after fetch() JS thread leads to DoS	No	[ ]
utile	NSWG-ECO-445	0.3.0	None	Out-of-bounds Read in utile	No	[ ]

Apr 19 '24 18:04 luvkapur