vulnerabilities in npm dependencies

ugh, npm.

There are 139 npm security advisories affecting our repositories.

#1085466: ejs

Severity: critical

ejs template injection vulnerability
Affected repositories (4)

#1085579: json-schema

Severity: critical

json-schema is vulnerable to Prototype Pollution
Affected repositories (2)

#1085893: getobject

Severity: critical

Prototype pollution vulnerability in 'getobject'
Affected repositories (1)

#1085992: immer

Severity: critical

Prototype Pollution in immer
Affected repositories (4)

#1086128: xmlhttprequest-ssl

Severity: critical

Improper Certificate Validation in xmlhttprequest-ssl
Affected repositories (1)

#1087894: loader-utils

Severity: critical

Prototype pollution in webpack loader-utils
Affected repositories (5)

#1087902: @xmldom/xmldom

Severity: critical

xmldom allows multiple root nodes in a DOM
Affected repositories (1)

#1087903: xmldom

Severity: critical

xmldom allows multiple root nodes in a DOM
Affected repositories (2)

#1087917: shell-quote

Severity: critical

Improper Neutralization of Special Elements used in a Command in Shell-quote
Affected repositories (5)

#1087950: socket.io-parser

Severity: critical

Insufficient validation when decoding a Socket.IO packet
Affected repositories (1)

#1087951: socket.io-parser

Severity: critical

Insufficient validation when decoding a Socket.IO packet
Affected repositories (2)

#1088581: underscore

Severity: critical

Arbitrary Code Execution in underscore
Affected repositories (1)

#1088665: thenify

Severity: critical

thenify before 3.3.1 made use of unsafe calls to `eval`.
Affected repositories (1)

#1088730: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (9)

#1089042: property-expr

Severity: critical

Prototype Pollution in property-expr
Affected repositories (1)

#1089098: global-modules-path

Severity: critical

global-modules-path Command Injection vulnerability
Affected repositories (1)

#1089127: eventsource

Severity: critical

Exposure of Sensitive Information in eventsource
Affected repositories (1)

#1089143: underscore

Severity: critical

Arbitrary Code Execution in underscore
Affected repositories (513)

#1089152: flat

Severity: critical

flat vulnerable to Prototype Pollution
Affected repositories (22)

#1089270: ejs

Severity: critical

ejs template injection vulnerability
Affected repositories (3)

#1085478: immer

Severity: high

Prototype Pollution in immer
Affected repositories (2)

#1085488: node-fetch

Severity: high

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Affected repositories (3)

#1085542: engine.io

Severity: high

Resource exhaustion in engine.io
Affected repositories (2)

#1085550: marked

Severity: high

Inefficient Regular Expression Complexity in marked
Affected repositories (1)

#1085551: marked

Severity: high

Inefficient Regular Expression Complexity in marked
Affected repositories (1)

#1085555: trim-newlines

Severity: high

Uncontrolled Resource Consumption in trim-newlines
Affected repositories (5)

#1085556: ua-parser-js

Severity: high

Regular Expression Denial of Service in ua-parser-js
Affected repositories (2)

#1085562: simple-git

Severity: high

Command injection in simple-git
Affected repositories (1)

#1085567: grunt

Severity: high

Race Condition in Grunt
Affected repositories (2)

#1085700: diff

Severity: high

Regular Expression Denial of Service (ReDoS)
Affected repositories (2)

#1085772: simple-git

Severity: high

simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
Affected repositories (1)

#1085798: axios

Severity: high

axios Inefficient Regular Expression Complexity vulnerability
Affected repositories (1)

#1085856: graphiql

Severity: high

GraphiQL introspection schema template injection attack
Affected repositories (1)

#1085945: nth-check

Severity: high

Inefficient Regular Expression Complexity in nth-check
Affected repositories (19)

#1085978: semver-regex

Severity: high

Regular Expression Denial of Service (ReDOS)
Affected repositories (2)

#1086000: tar

Severity: high

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Affected repositories (5)

#1086024: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (4)

#1086025: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (1)

#1086054: socket.io-parser

Severity: high

Resource exhaustion in socket.io-parser
Affected repositories (1)

#1086059: prismjs

Severity: high

Regular Expression Denial of Service (ReDoS) in Prism
Affected repositories (5)

#1086209: xmlhttprequest-ssl

Severity: high

Arbitrary Code Injection
Affected repositories (1)

#1086242: pathval

Severity: high

Prototype pollution in pathval
Affected repositories (1)

#1086281: ua-parser-js

Severity: high

ua-parser-js Regular Expression Denial of Service vulnerability
Affected repositories (2)

#1086346: ua-parser-js

Severity: high

Regular Expression Denial of Service (ReDoS) in ua-parser-js
Affected repositories (2)

#1086354: merge

Severity: high

Prototype Pollution in merge
Affected repositories (1)

#1086386: prismjs

Severity: high

Denial of service in prismjs
Affected repositories (5)

#1086413: immer

Severity: high

Prototype Pollution in immer
Affected repositories (4)

#1087445: prismjs

Severity: high

Cross-Site Scripting in Prism
Affected repositories (5)

#1087893: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Affected repositories (5)

#1088168: prismjs

Severity: high

Cross-site Scripting in Prism
Affected repositories (4)

#1088205: shelljs

Severity: high

Improper Privilege Management in shelljs
Affected repositories (104)

#1088594: d3-color

Severity: high

d3-color vulnerable to ReDoS
Affected repositories (1)

#1088639: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (11)

#1088641: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (4)

#1088643: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (5)

#1088664: minimatch

Severity: high

minimatch ReDoS vulnerability
Affected repositories (35)

#1088666: async

Severity: high

Prototype Pollution in async
Affected repositories (1)

#1088667: async

Severity: high

Prototype Pollution in async
Affected repositories (1)

#1088696: ua-parser-js

Severity: high

ReDoS Vulnerability in ua-parser-js version
Affected repositories (1)

#1088697: ua-parser-js

Severity: high

ReDoS Vulnerability in ua-parser-js version
Affected repositories (7)

#1088705: simple-git

Severity: high

Remote code execution in simple-git
Affected repositories (1)

#1088747: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge
Affected repositories (3)

#1088748: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge
Affected repositories (3)

#1088761: simple-git

Severity: high

Command injection in simple-git
Affected repositories (1)

#1088781: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (4)

#1088782: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (1)

#1088820: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method
Affected repositories (5)

#1088821: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method
Affected repositories (14)

#1088831: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Affected repositories (5)

#1088864: scss-tokenizer

Severity: high

Regular expression denial of service in scss-tokenizer
Affected repositories (1)

#1088897: terser

Severity: high

Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS
Affected repositories (1)

#1088898: terser

Severity: high

Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS
Affected repositories (3)

#1088964: jpeg-js

Severity: high

Infinite loop in jpeg-js
Affected repositories (1)

#1089015: follow-redirects

Severity: high

Exposure of sensitive information in follow-redirects
Affected repositories (1)

#1089029: glob-parent

Severity: high

glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex
Affected repositories (7)

#1089056: lodash

Severity: high

Command Injection in lodash
Affected repositories (1)

#1089063: ini

Severity: high

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Affected repositories (4)

#1089065: node-forge

Severity: high

Prototype Pollution in node-forge
Affected repositories (1)

#1089128: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (2)

#1089129: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (1)

#1089130: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (3)

#1089138: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (5)

#1089141: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (5)

#1089281: immer

Severity: high

Prototype Pollution in immer
Affected repositories (2)

#1085578: log4js

Severity: moderate

Incorrect Default Permissions in log4js
Affected repositories (1)

#1085585: video.js

Severity: moderate

Cross-site Scripting in video.js
Affected repositories (1)

#1085771: jquery

Severity: moderate

XSS in jQuery as used in Drupal, Backdrop CMS, and other products
Affected repositories (1)

#1085774: engine.io

Severity: moderate

Uncaught exception in engine.io
Affected repositories (2)

#1085808: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (5)

#1085809: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (1)

#1085812: node-sass

Severity: moderate

Improper Certificate Validation in node-sass
Affected repositories (1)

#1085814: xmldom

Severity: moderate

Misinterpretation of malicious XML input
Affected repositories (2)

#1085867: validator

Severity: moderate

Inefficient Regular Expression Complexity in validator.js
Affected repositories (1)

#1086019: path-parse

Severity: moderate

Regular Expression Denial of Service in path-parse
Affected repositories (1)

#1086072: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (1)

#1086073: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (2)

#1086127: browserslist

Severity: moderate

Regular Expression Denial of Service in browserslist
Affected repositories (5)

#1086175: hosted-git-info

Severity: moderate

Regular Expression Denial of Service in hosted-git-info
Affected repositories (1)

#1086176: hosted-git-info

Severity: moderate

Regular Expression Denial of Service in hosted-git-info
Affected repositories (1)

#1086414: socket.io

Severity: moderate

Insecure defaults due to CORS misconfiguration in socket.io
Affected repositories (1)

#1086430: axios

Severity: moderate

Axios vulnerable to Server-Side Request Forgery
Affected repositories (1)

#1086436: node-notifier

Severity: moderate

OS Command Injection in node-notifier
Affected repositories (1)

#1086450: highlight.js

Severity: moderate

ReDOS vulnerabities: multiple grammars
Affected repositories (4)

#1086453: highlight.js

Severity: moderate

Prototype Pollution in highlight.js
Affected repositories (4)

#1087458: jpeg-js

Severity: moderate

Uncontrolled resource consumption in jpeg-js
Affected repositories (1)

#1087532: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (3)

#1087533: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (6)

#1087920: xmldom

Severity: moderate

Misinterpretation of malicious XML input
Affected repositories (2)

#1088162: karma

Severity: moderate

Open redirect in karma
Affected repositories (2)

#1088175: follow-redirects

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
Affected repositories (1)

#1088186: karma

Severity: moderate

Cross-site Scripting in karma
Affected repositories (2)

#1088208: shelljs

Severity: moderate

Improper Privilege Management in shelljs
Affected repositories (104)

#1088209: node-forge

Severity: moderate

Open Redirect in node-forge
Affected repositories (3)

#1088213: markdown-it

Severity: moderate

Uncontrolled Resource Consumption in markdown-it
Affected repositories (2)

#1088241: validator

Severity: moderate

Inefficient Regular Expression Complexity in Validator.js
Affected repositories (1)

#1088635: undici

Severity: moderate

`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Affected repositories (1)

#1088646: undici

Severity: moderate

Nodejs โ€˜undiciโ€™ vulnerable to CRLF Injection via Content-Type
Affected repositories (1)

#1088659: cookiejar

Severity: moderate

cookiejar Regular Expression Denial of Service via Cookie.parse function
Affected repositories (4)

#1088709: cross-fetch

Severity: moderate

Incorrect Authorization in cross-fetch
Affected repositories (1)

#1088711: grunt

Severity: moderate

Path Traversal in Grunt
Affected repositories (2)

#1088746: node-forge

Severity: moderate

Improper Verification of Cryptographic Signature in `node-forge`
Affected repositories (3)

#1088811: yargs-parser

Severity: moderate

yargs-parser Vulnerable to Prototype Pollution
Affected repositories (1)

#1088895: undici

Severity: moderate

undici before v5.8.0 vulnerable to CRLF injection in request headers
Affected repositories (1)

#1088948: got

Severity: moderate

Got allows a redirect to a UNIX socket
Affected repositories (3)

#1089011: nanoid

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Affected repositories (3)

#1089034: ajv

Severity: moderate

Prototype Pollution in Ajv
Affected repositories (23)

#1089058: lodash

Severity: moderate

Regular Expression Denial of Service (ReDoS) in lodash
Affected repositories (1)

#1089062: react-dev-utils

Severity: moderate

react-dev-utils OS Command Injection in function `getProcessForPort`
Affected repositories (4)

#1089070: jquery

Severity: moderate

Potential XSS vulnerability in jQuery
Affected repositories (2)

#1089071: jquery

Severity: moderate

Potential XSS vulnerability in jQuery
Affected repositories (2)

#1089185: jsdom

Severity: moderate

Insufficient Granularity of Access Control in JSDom
Affected repositories (6)

#1089189: prismjs

Severity: moderate

prismjs Regular Expression Denial of Service vulnerability
Affected repositories (5)

#1085462: undici

Severity: low

undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
Affected repositories (1)

#1086487: node-fetch

Severity: low

The `size` option isn't honored after following a redirect in node-fetch
Affected repositories (3)

#1088227: node-forge

Severity: low

Prototype Pollution in node-forge debug API.
Affected repositories (3)

#1088228: node-forge

Severity: low

Prototype Pollution in node-forge util.setPath API
Affected repositories (1)

#1088229: node-forge

Severity: low

URL parsing in node-forge could lead to undesired behavior.
Affected repositories (3)

#1088828: decode-uri-component

Severity: low

decode-uri-component vulnerable to Denial of Service (DoS)
Affected repositories (5)

#1089093: semver-regex

Severity: low

Regular expression denial of service in semver-regex
Affected repositories (2)
Source code is licensed under the AGPL.