vulnerabilities in npm dependencies

ugh, npm.

There are 149 npm security advisories affecting our repositories.

#1067342: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (130)

#1067720: immer

Severity: critical

Prototype Pollution in immer
Affected repositories (4)

#1067912: handlebars

Severity: critical

Prototype Pollution in handlebars
Affected repositories (1)

#1068088: netmask

Severity: critical

Improper parsing of octal bytes in netmask
Affected repositories (1)

#1069477: lodash

Severity: critical

Prototype Pollution in lodash
Affected repositories (1)

#1069553: lodash.template

Severity: critical

Prototype Pollution in lodash
Affected repositories (3)

#1069854: cryptiles

Severity: critical

Insufficient Entropy in cryptiles
Affected repositories (2)

#1070412: ejs

Severity: critical

Template injection in ejs
Affected repositories (7)

#1070413: json-schema

Severity: critical

json-schema is vulnerable to Prototype Pollution
Affected repositories (11)

#1070468: handlebars

Severity: critical

Prototype Pollution in handlebars
Affected repositories (1)

#1075650: shell-quote

Severity: critical

Improper Neutralization of Special Elements used in a Command in Shell-quote
Affected repositories (4)

#1081993: json-schema

Severity: critical

json-schema is vulnerable to Prototype Pollution
Affected repositories (2)

#1082196: property-expr

Severity: critical

Prototype Pollution in property-expr
Affected repositories (1)

#1083256: ejs

Severity: critical

ejs template injection vulnerability
Affected repositories (3)

#1084602: underscore

Severity: critical

Arbitrary Code Execution in underscore
Affected repositories (1)

#1067329: glob-parent

Severity: high

Regular expression denial of service in glob-parent
Affected repositories (2)

#1067371: simple-git

Severity: high

Command injection in simple-git
Affected repositories (1)

#1067395: requestretry

Severity: high

Cookie exposure in requestretry
Affected repositories (18)

#1067401: prismjs

Severity: high

Cross-site Scripting in Prism
Affected repositories (6)

#1067428: simple-get

Severity: high

Exposure of Sensitive Information in simple-get
Affected repositories (2)

#1067444: shelljs

Severity: high

Improper Privilege Management in shelljs
Affected repositories (1)

#1067459: follow-redirects

Severity: high

Exposure of sensitive information in follow-redirects
Affected repositories (1)

#1067751: pac-resolver

Severity: high

Code Injection in pac-resolver
Affected repositories (1)

#1067813: normalize-url

Severity: high

ReDoS in normalize-url
Affected repositories (1)

#1067816: prismjs

Severity: high

Regular Expression Denial of Service (ReDoS) in Prism
Affected repositories (2)

#1068026: handlebars

Severity: high

Arbitrary Code Execution in Handlebars
Affected repositories (1)

#1068028: handlebars

Severity: high

Regular Expression Denial of Service in Handlebars
Affected repositories (1)

#1068083: chrono-node

Severity: high

Denial of service in chrono-node
Affected repositories (1)

#1068134: underscore

Severity: high

Arbitrary Code Execution in underscore
Affected repositories (3)

#1068190: merge

Severity: high

Prototype Pollution in merge
Affected repositories (3)

#1068235: prismjs

Severity: high

Denial of service in prismjs
Affected repositories (2)

#1068264: immer

Severity: high

Prototype Pollution in immer
Affected repositories (2)

#1068298: ini

Severity: high

Prototype Pollution
Affected repositories (3)

#1068522: handlebars

Severity: high

Arbitrary Code Execution in handlebars
Affected repositories (1)

#1069572: diff

Severity: high

Regular Expression Denial of Service (ReDoS)
Affected repositories (1)

#1069597: handlebars

Severity: high

Prototype Pollution in handlebars
Affected repositories (1)

#1069604: js-yaml

Severity: high

Code Injection in js-yaml
Affected repositories (1)

#1069995: pathval

Severity: high

Prototype pollution in pathval
Affected repositories (2)

#1070006: ansi-html

Severity: high

Uncontrolled Resource Consumption in ansi-html
Affected repositories (1)

#1070022: node-fetch

Severity: high

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Affected repositories (4)

#1070025: marked

Severity: high

Inefficient Regular Expression Complexity in marked
Affected repositories (3)

#1070026: marked

Severity: high

Inefficient Regular Expression Complexity in marked
Affected repositories (2)

#1070055: graphiql

Severity: high

GraphiQL introspection schema template injection attack
Affected repositories (1)

#1070117: lodash

Severity: high

Command Injection in lodash
Affected repositories (4)

#1070166: prismjs

Severity: high

Cross-Site Scripting in Prism
Affected repositories (2)

#1070209: y18n

Severity: high

Prototype Pollution in y18n
Affected repositories (3)

#1070247: lodash

Severity: high

Prototype Pollution in lodash
Affected repositories (2)

#1070259: trim

Severity: high

Regular Expression Denial of Service in trim
Affected repositories (3)

#1070290: simple-git

Severity: high

Command injection in simple-git
Affected repositories (1)

#1070326: tmpl

Severity: high

Regular Expression Denial of Service in tmpl
Affected repositories (1)

#1070356: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge
Affected repositories (1)

#1070363: tar

Severity: high

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Affected repositories (14)

#1070364: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (1)

#1070367: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (1)

#1070369: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (14)

#1070370: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (1)

#1070372: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (13)

#1070373: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (2)

#1070385: hawk

Severity: high

Uncontrolled Resource Consumption in Hawk
Affected repositories (2)

#1070391: trim-newlines

Severity: high

Uncontrolled Resource Consumption in trim-newlines
Affected repositories (5)

#1070402: grunt

Severity: high

Race Condition in Grunt
Affected repositories (186)

#1070411: libxmljs

Severity: high

Denial of service vulnerability exists in libxmljs
Affected repositories (1)

#1070415: nth-check

Severity: high

Inefficient Regular Expression Complexity in nth-check
Affected repositories (5)

#1070417: semver-regex

Severity: high

Regular Expression Denial of Service (ReDOS)
Affected repositories (2)

#1070435: redis

Severity: high

Potential exponential regex in monitor mode
Affected repositories (1)

#1070440: async

Severity: high

Prototype Pollution in async
Affected repositories (8)

#1070443: async

Severity: high

Prototype Pollution in async
Affected repositories (109)

#1070480: dicer

Severity: high

Crash in HeaderParser in dicer
Affected repositories (5)

#1075625: jpeg-js

Severity: high

Infinite loop in jpeg-js
Affected repositories (2)

#1075704: protobufjs

Severity: high

Prototype Pollution in protobufjs
Affected repositories (1)

#1080906: express-handlebars

Severity: high

Insecure template handling in Express-handlebars
Affected repositories (1)

#1080909: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (1)

#1080911: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (13)

#1080912: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (2)

#1081346: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (11)

#1081347: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (15)

#1081348: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (12)

#1081480: scss-tokenizer

Severity: high

Regular expression denial of service in scss-tokenizer
Affected repositories (1)

#1081486: git-clone

Severity: high

Command injection in git-clone
Affected repositories (1)

#1081698: terser

Severity: high

Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS
Affected repositories (5)

#1081699: terser

Severity: high

Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS
Affected repositories (4)

#1081761: moment

Severity: high

Inefficient Regular Expression Complexity in moment
Affected repositories (14)

#1081763: moment

Severity: high

Path Traversal: 'dir/../../filename' in moment.locale
Affected repositories (12)

#1081813: axios

Severity: high

Incorrect Comparison in axios
Affected repositories (1)

#1081884: glob-parent

Severity: high

glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex
Affected repositories (10)

#1081914: ini

Severity: high

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Affected repositories (9)

#1081982: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (2)

#1081983: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (3)

#1081984: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (1)

#1084348: immer

Severity: high

Prototype Pollution in immer
Affected repositories (1)

#1084429: moment

Severity: high

Moment.js vulnerable to Inefficient Regular Expression Complexity
Affected repositories (1)

#1084495: node-fetch

Severity: high

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Affected repositories (2)

#1084497: follow-redirects

Severity: high

Exposure of sensitive information in follow-redirects
Affected repositories (1)

#1067394: karma

Severity: moderate

Open redirect in karma
Affected repositories (2)

#1067407: follow-redirects

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
Affected repositories (4)

#1067417: node-sass

Severity: moderate

Improper Certificate Validation in node-sass
Affected repositories (1)

#1067422: karma

Severity: moderate

Cross-site Scripting in karma
Affected repositories (1)

#1067451: shelljs

Severity: moderate

Improper Privilege Management in shelljs
Affected repositories (2)

#1067480: xmldom

Severity: moderate

Misinterpretation of malicious XML input
Affected repositories (1)

#1067560: validator

Severity: moderate

Inefficient Regular Expression Complexity in validator.js
Affected repositories (2)

#1067761: path-parse

Severity: moderate

Regular Expression Denial of Service in path-parse
Affected repositories (5)

#1067818: color-string

Severity: moderate

Regular Expression Denial of Service (ReDOS)
Affected repositories (1)

#1067902: browserslist

Severity: moderate

Regular Expression Denial of Service in browserslist
Affected repositories (5)

#1067946: ajv

Severity: moderate

Prototype Pollution in Ajv
Affected repositories (7)

#1067956: hosted-git-info

Severity: moderate

Regular Expression Denial of Service in hosted-git-info
Affected repositories (3)

#1068163: netmask

Severity: moderate

netmask npm package vulnerable to octal input data
Affected repositories (1)

#1068216: react-dev-utils

Severity: moderate

Improper Neutralization of Special Elements used in an OS Command.
Affected repositories (2)

#1069337: jpeg-js

Severity: moderate

Uncontrolled resource consumption in jpeg-js
Affected repositories (1)

#1069557: mem

Severity: moderate

Denial of Service in mem
Affected repositories (1)

#1069598: js-yaml

Severity: moderate

Denial of Service in js-yaml
Affected repositories (1)

#1069621: tunnel-agent

Severity: moderate

Memory Exposure in tunnel-agent
Affected repositories (1)

#1069910: hoek

Severity: moderate

Prototype Pollution in hoek
Affected repositories (1)

#1069994: swagger-ui-dist

Severity: moderate

Spoofing attack in swagger-ui-dist
Affected repositories (15)

#1070012: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (2)

#1070030: markdown-it

Severity: moderate

Uncontrolled Resource Consumption in markdown-it
Affected repositories (4)

#1070098: striptags

Severity: moderate

Passing in a non-string 'html' argument can lead to unsanitized output
Affected repositories (2)

#1070126: msgpack5

Severity: moderate

Prototype poisoning
Affected repositories (4)

#1070235: jquery

Severity: moderate

Potential XSS vulnerability in jQuery
Affected repositories (1)

#1070236: jquery

Severity: moderate

Potential XSS vulnerability in jQuery
Affected repositories (1)

#1070249: grunt

Severity: moderate

Path Traversal in Grunt
Affected repositories (114)

#1070254: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (12)

#1070255: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (16)

#1070286: highlight.js

Severity: moderate

ReDOS vulnerabities: multiple grammars
Affected repositories (2)

#1070287: cross-fetch

Severity: moderate

Incorrect Authorization in cross-fetch
Affected repositories (1)

#1070329: prismjs

Severity: moderate

Regular Expression Denial of Service in prismjs
Affected repositories (3)

#1070354: node-forge

Severity: moderate

Improper Verification of Cryptographic Signature in `node-forge`
Affected repositories (1)

#1070475: ws

Severity: moderate

ReDoS in Sec-Websocket-Protocol header
Affected repositories (1)

#1075671: jsdom

Severity: moderate

Insufficient Granularity of Access Control in JSDom
Affected repositories (6)

#1080920: got

Severity: moderate

Got allows a redirect to a UNIX socket
Affected repositories (23)

#1081443: validator

Severity: moderate

Inefficient Regular Expression Complexity in Validator.js
Affected repositories (2)

#1081481: nanoid

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Affected repositories (115)

#1081493: json-pointer

Severity: moderate

Prototype Pollution in json-pointer
Affected repositories (1)

#1081522: glob-parent

Severity: moderate

glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS)
Affected repositories (62)

#1081528: glob-parent

Severity: moderate

glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS)
Affected repositories (1)

#1081885: yargs-parser

Severity: moderate

yargs-parser Vulnerable to Prototype Pollution
Affected repositories (3)

#1081928: node-fetch

Severity: moderate

node-fetch Inefficient Regular Expression Complexity
Affected repositories (1)

#1082132: browserslist

Severity: moderate

Regular Expression Denial of Service in browserslist
Affected repositories (1)

#1082166: ajv

Severity: moderate

Prototype Pollution in Ajv
Affected repositories (3)

#1083239: undici

Severity: moderate

`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Affected repositories (1)

#1084331: undici

Severity: moderate

Nodejs โ€˜undiciโ€™ Vulnerable to CRLF Injection via Content-Type
Affected repositories (1)

#1084333: jsdom

Severity: moderate

Insufficient Granularity of Access Control in JSDom
Affected repositories (1)

#1084475: undici

Severity: moderate

undici before v5.8.0 vulnerable to CRLF injection in request headers
Affected repositories (1)

#1067472: node-forge

Severity: low

Prototype Pollution in node-forge util.setPath API
Affected repositories (1)

#1070127: xmldom

Severity: low

Misinterpretation of malicious XML input
Affected repositories (1)

#1070149: highlight.js

Severity: low

Prototype Pollution in highlight.js
Affected repositories (2)

#1070458: semver-regex

Severity: low

Regular expression denial of service in semver-regex
Affected repositories (2)

#1081840: node-forge

Severity: low

URL parsing in node-forge could lead to undesired behavior.
Affected repositories (1)

#1082461: node-fetch

Severity: low

The `size` option isn't honored after following a redirect in node-fetch
Affected repositories (1)

#1084343: undici

Severity: low

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
Affected repositories (1)
Source code is licensed under the AGPL.