vulnerabilities in npm dependencies

ugh, npm.

There are 212 npm security advisories affecting our repositories.

#1088813: swagger-ui

Severity: critical

Cross-site scripting in Swagger-UI
Affected repositories (1)

#1089151: json-pointer

Severity: critical

json-pointer vulnerable to Prototype Pollution
Affected repositories (1)

#1089152: flat

Severity: critical

flat vulnerable to Prototype Pollution
Affected repositories (7)

#1089270: ejs

Severity: critical

ejs template injection vulnerability
Affected repositories (1)

#1089900: netmask

Severity: critical

Improper parsing of octal bytes in netmask
Affected repositories (1)

#1091172: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (1)

#1091173: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (1)

#1092753: mockery

Severity: critical

mockery is vulnerable to prototype pollution
Affected repositories (4)

#1093420: getobject

Severity: critical

Prototype pollution in getobject
Affected repositories (1)

#1094088: loader-utils

Severity: critical

Prototype pollution in webpack loader-utils
Affected repositories (1)

#1094089: loader-utils

Severity: critical

Prototype pollution in webpack loader-utils
Affected repositories (1)

#1094471: webpack

Severity: critical

Cross-realm object access in Webpack 5
Affected repositories (1)

#1094493: lodash

Severity: critical

Prototype Pollution in lodash
Affected repositories (1)

#1095022: eslint-utils

Severity: critical

Arbitrary Code Execution in eslint-utils
Affected repositories (1)

#1095034: cryptiles

Severity: critical

Insufficient Entropy in cryptiles
Affected repositories (1)

#1095047: mixin-deep

Severity: critical

Prototype Pollution in mixin-deep
Affected repositories (1)

#1095057: json-schema

Severity: critical

json-schema is vulnerable to Prototype Pollution
Affected repositories (4)

#1095097: underscore

Severity: critical

Arbitrary Code Execution in underscore
Affected repositories (4)

#1095129: set-value

Severity: critical

Prototype Pollution in set-value
Affected repositories (1)

#1095136: protobufjs

Severity: critical

protobufjs Prototype Pollution vulnerability
Affected repositories (1)

#1095212: @babel/traverse

Severity: critical

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Affected repositories (15)

#1095525: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (1)

#1095526: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (1)

#1096548: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (10)

#1096549: minimist

Severity: critical

Prototype Pollution in minimist
Affected repositories (8)

#1085596: acorn

Severity: high

Regular Expression Denial of Service in Acorn
Affected repositories (1)

#1085601: acorn

Severity: high

Regular Expression Denial of Service in Acorn
Affected repositories (1)

#1088594: d3-color

Severity: high

d3-color vulnerable to ReDoS
Affected repositories (1)

#1088964: jpeg-js

Severity: high

Infinite loop in jpeg-js
Affected repositories (1)

#1089196: redis

Severity: high

Node-Redis potential exponential regex in monitor mode
Affected repositories (1)

#1089198: aws-sdk

Severity: high

Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
Affected repositories (1)

#1089386: taffydb

Severity: high

TaffyDB can allow access to any data items in the DB
Affected repositories (18)

#1089589: graphiql

Severity: high

GraphiQL introspection schema template injection attack
Affected repositories (1)

#1089684: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (6)

#1089685: tar

Severity: high

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Affected repositories (1)

#1089836: grunt

Severity: high

Arbitrary Code Execution in grunt
Affected repositories (1)

#1089867: trim

Severity: high

Regular Expression Denial of Service in trim
Affected repositories (2)

#1089895: chrono-node

Severity: high

Denial of service in chrono-node
Affected repositories (1)

#1090137: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (1)

#1090139: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (1)

#1090140: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (1)

#1090384: pac-resolver

Severity: high

Code Injection in pac-resolver
Affected repositories (1)

#1090403: degenerator

Severity: high

Code Injection in pac-resolver
Affected repositories (1)

#1090420: requestretry

Severity: high

Cookie exposure in requestretry
Affected repositories (14)

#1090424: prismjs

Severity: high

Cross-site Scripting in Prism
Affected repositories (1)

#1091148: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method
Affected repositories (1)

#1091174: minimatch

Severity: high

minimatch ReDoS vulnerability
Affected repositories (1)

#1091189: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (1)

#1091252: ini

Severity: high

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Affected repositories (1)

#1091313: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (1)

#1091343: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (1)

#1091346: tar

Severity: high

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Affected repositories (1)

#1091349: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (1)

#1091430: moment

Severity: high

Path Traversal: 'dir/../../filename' in moment.locale
Affected repositories (1)

#1091441: moment

Severity: high

Moment.js vulnerable to Inefficient Regular Expression Complexity
Affected repositories (1)

#1091643: grunt

Severity: high

Race Condition in Grunt
Affected repositories (2)

#1091690: terser

Severity: high

Terser insecure use of regular expressions leads to ReDoS
Affected repositories (1)

#1092316: http-cache-semantics

Severity: high

http-cache-semantics vulnerable to Regular Expression Denial of Service
Affected repositories (5)

#1092475: semver-regex

Severity: high

semver-regex Regular Expression Denial of Service (ReDOS)
Affected repositories (2)

#1093040: libxmljs

Severity: high

Denial of service vulnerability exists in libxmljs
Affected repositories (1)

#1093150: dicer

Severity: high

Crash in HeaderParser in dicer
Affected repositories (4)

#1093224: ini

Severity: high

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
Affected repositories (5)

#1093404: git-clone

Severity: high

Command injection in git-clone
Affected repositories (1)

#1094083: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Affected repositories (1)

#1094084: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Affected repositories (1)

#1094087: decode-uri-component

Severity: high

decode-uri-component vulnerable to Denial of Service (DoS)
Affected repositories (2)

#1094090: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (6)

#1094091: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (5)

#1094092: ansi-regex

Severity: high

Inefficient Regular Expression Complexity in chalk/ansi-regex
Affected repositories (3)

#1094498: lodash

Severity: high

Command Injection in lodash
Affected repositories (1)

#1094499: lodash

Severity: high

Prototype Pollution in lodash
Affected repositories (1)

#1094511: set-value

Severity: high

Prototype Pollution in set-value
Affected repositories (1)

#1094516: browserify-sign

Severity: high

browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
Affected repositories (1)

#1094574: get-func-name

Severity: high

Chaijs/get-func-name vulnerable to ReDoS
Affected repositories (8)

#1094738: vite

Severity: high

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected repositories (1)

#1095007: glob-parent

Severity: high

glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex
Affected repositories (5)

#1095011: node-forge

Severity: high

Prototype Pollution in node-forge
Affected repositories (1)

#1095012: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge
Affected repositories (2)

#1095013: node-forge

Severity: high

Improper Verification of Cryptographic Signature in node-forge
Affected repositories (2)

#1095026: dot-prop

Severity: high

dot-prop Prototype Pollution vulnerability
Affected repositories (1)

#1095051: marked

Severity: high

Inefficient Regular Expression Complexity in marked
Affected repositories (3)

#1095052: marked

Severity: high

Inefficient Regular Expression Complexity in marked
Affected repositories (3)

#1095054: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Affected repositories (1)

#1095055: loader-utils

Severity: high

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Affected repositories (1)

#1095056: kind-of

Severity: high

Validation Bypass in kind-of
Affected repositories (1)

#1095058: js-yaml

Severity: high

Code Injection in js-yaml
Affected repositories (2)

#1095062: hawk

Severity: high

Uncontrolled Resource Consumption in Hawk
Affected repositories (1)

#1095072: moment

Severity: high

Moment.js vulnerable to Inefficient Regular Expression Complexity
Affected repositories (6)

#1095073: node-fetch

Severity: high

node-fetch forwards secure headers to untrusted sites
Affected repositories (2)

#1095083: moment

Severity: high

Path Traversal: 'dir/../../filename' in moment.locale
Affected repositories (6)

#1095086: y18n

Severity: high

Prototype Pollution in y18n
Affected repositories (1)

#1095100: trim-newlines

Severity: high

Uncontrolled Resource Consumption in trim-newlines
Affected repositories (7)

#1095117: tar

Severity: high

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Affected repositories (6)

#1095126: shelljs

Severity: high

Improper Privilege Management in shelljs
Affected repositories (1)

#1095135: protobufjs

Severity: high

Prototype Pollution in protobufjs
Affected repositories (1)

#1095141: nth-check

Severity: high

Inefficient Regular Expression Complexity in nth-check
Affected repositories (4)

#1095142: normalize-url

Severity: high

ReDoS in normalize-url
Affected repositories (1)

#1095223: @koa/cors

Severity: high

Overly permissive origin policy
Affected repositories (1)

#1095388: msgpackr

Severity: high

msgpackr's conversion of property names to strings can trigger infinite recursion
Affected repositories (1)

#1095467: vite

Severity: high

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Affected repositories (1)

#1095469: vite

Severity: high

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Affected repositories (1)

#1095513: minimatch

Severity: high

minimatch ReDoS vulnerability
Affected repositories (1)

#1096302: lodash.set

Severity: high

Prototype Pollution in lodash
Affected repositories (4)

#1096303: lodash.pick

Severity: high

Prototype Pollution in lodash
Affected repositories (3)

#1096305: lodash

Severity: high

Prototype Pollution in lodash
Affected repositories (2)

#1096309: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Affected repositories (5)

#1096376: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (5)

#1096410: hoek

Severity: high

hoek subject to prototype pollution via the clone function.
Affected repositories (1)

#1096411: tar

Severity: high

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Affected repositories (5)

#1096470: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (4)

#1096472: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (3)

#1096474: qs

Severity: high

qs vulnerable to Prototype Pollution
Affected repositories (1)

#1096476: async

Severity: high

Prototype Pollution in async
Affected repositories (1)

#1096479: merge

Severity: high

Prototype Pollution in merge
Affected repositories (2)

#1096485: minimatch

Severity: high

minimatch ReDoS vulnerability
Affected repositories (17)

#1096487: lodash

Severity: high

Command Injection in lodash
Affected repositories (1)

#1096543: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method
Affected repositories (9)

#1096544: json5

Severity: high

Prototype Pollution in JSON5 via Parse Method
Affected repositories (4)

#1096644: browserify-sign

Severity: high

browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
Affected repositories (1)

#1085394: swagger-ui-dist

Severity: moderate

Server side request forgery in SwaggerUI
Affected repositories (1)

#1085674: lodash

Severity: moderate

Regular Expression Denial of Service (ReDoS) in lodash
Affected repositories (1)

#1085685: mem

Severity: moderate

Denial of Service in mem
Affected repositories (1)

#1085691: swagger-ui

Severity: moderate

Reverse Tabnapping in swagger-ui
Affected repositories (1)

#1085693: underscore.string

Severity: moderate

Regular Expression Denial of Service in underscore.string
Affected repositories (1)

#1085724: js-yaml

Severity: moderate

Denial of Service in js-yaml
Affected repositories (2)

#1086900: swagger-ui

Severity: moderate

Cross-Site Scripting in swagger-ui
Affected repositories (1)

#1088208: shelljs

Severity: moderate

Improper Privilege Management in shelljs
Affected repositories (1)

#1088241: validator

Severity: moderate

Inefficient Regular Expression Complexity in Validator.js
Affected repositories (1)

#1088659: cookiejar

Severity: moderate

cookiejar Regular Expression Denial of Service via Cookie.parse function
Affected repositories (4)

#1088709: cross-fetch

Severity: moderate

Incorrect Authorization in cross-fetch
Affected repositories (1)

#1088746: node-forge

Severity: moderate

Improper Verification of Cryptographic Signature in `node-forge`
Affected repositories (2)

#1088759: swagger-ui-dist

Severity: moderate

Spoofing attack in swagger-ui-dist
Affected repositories (10)

#1088760: swagger-ui

Severity: moderate

Spoofing attack in swagger-ui
Affected repositories (1)

#1088811: yargs-parser

Severity: moderate

yargs-parser Vulnerable to Prototype Pollution
Affected repositories (4)

#1088818: ms

Severity: moderate

Vercel ms Inefficient Regular Expression Complexity vulnerability
Affected repositories (1)

#1088901: json-pointer

Severity: moderate

Prototype Pollution in json-pointer
Affected repositories (1)

#1088948: got

Severity: moderate

Got allows a redirect to a UNIX socket
Affected repositories (7)

#1089011: nanoid

Severity: moderate

Exposure of Sensitive Information to an Unauthorized Actor in nanoid
Affected repositories (4)

#1089034: ajv

Severity: moderate

Prototype Pollution in Ajv
Affected repositories (3)

#1089122: vite

Severity: moderate

Vitejs Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service
Affected repositories (1)

#1089185: jsdom

Severity: moderate

Insufficient Granularity of Access Control in JSDom
Affected repositories (4)

#1089202: msgpack5

Severity: moderate

Prototype poisoning
Affected repositories (2)

#1089240: vuetify

Severity: moderate

Vuetify Cross-site Scripting vulnerability
Affected repositories (1)

#1089434: jsonwebtoken

Severity: moderate

jsonwebtoken unrestricted key type could lead to legacy keys usage
Affected repositories (2)

#1089600: validator

Severity: moderate

Inefficient Regular Expression Complexity in validator.js
Affected repositories (1)

#1089681: path-parse

Severity: moderate

Regular Expression Denial of Service in path-parse
Affected repositories (1)

#1089718: color-string

Severity: moderate

Regular Expression Denial of Service (ReDOS)
Affected repositories (1)

#1089729: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (1)

#1089809: hosted-git-info

Severity: moderate

Regular Expression Denial of Service in hosted-git-info
Affected repositories (2)

#1089955: sanitize-html

Severity: moderate

Improper Input Validation in sanitize-html
Affected repositories (1)

#1090097: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (1)

#1090098: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (1)

#1090476: ws

Severity: moderate

ReDoS in Sec-Websocket-Protocol header
Affected repositories (1)

#1091026: @sideway/formula

Severity: moderate

@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability
Affected repositories (1)

#1091087: jsonwebtoken

Severity: moderate

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
Affected repositories (2)

#1091410: request

Severity: moderate

Server-Side Request Forgery in Request
Affected repositories (1)

#1091644: grunt

Severity: moderate

Path Traversal in Grunt
Affected repositories (1)

#1091789: sanitize-html

Severity: moderate

Improper Input Validation in sanitize-html
Affected repositories (1)

#1092160: swagger-ui-dist

Severity: moderate

Server side request forgery in SwaggerUI
Affected repositories (9)

#1092161: swagger-ui

Severity: moderate

Server side request forgery in SwaggerUI
Affected repositories (1)

#1092549: jsonwebtoken

Severity: moderate

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
Affected repositories (2)

#1092632: jose

Severity: moderate

JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected repositories (1)

#1092663: markdown-it

Severity: moderate

Uncontrolled Resource Consumption in markdown-it
Affected repositories (3)

#1092972: request

Severity: moderate

Server-Side Request Forgery in Request
Affected repositories (55)

#1093035: browserslist

Severity: moderate

Regular Expression Denial of Service in browserslist
Affected repositories (2)

#1093539: postcss

Severity: moderate

Regular Expression Denial of Service in postcss
Affected repositories (2)

#1093560: netmask

Severity: moderate

netmask npm package mishandles octal input data
Affected repositories (1)

#1093580: jpeg-js

Severity: moderate

Uncontrolled resource consumption in jpeg-js
Affected repositories (1)

#1093719: node-forge

Severity: moderate

Open Redirect in node-forge
Affected repositories (1)

#1094146: jquery

Severity: moderate

Potential XSS vulnerability in jQuery
Affected repositories (2)

#1094170: jquery

Severity: moderate

XSS in jQuery as used in Drupal, Backdrop CMS, and other products
Affected repositories (1)

#1094185: jquery

Severity: moderate

Potential XSS vulnerability in jQuery
Affected repositories (2)

#1094217: swagger-ui

Severity: moderate

Cross-Site Scripting in swagger-ui
Affected repositories (1)

#1094219: debug

Severity: moderate

Regular Expression Denial of Service in debug
Affected repositories (6)

#1094220: debug

Severity: moderate

Regular Expression Denial of Service in debug
Affected repositories (7)

#1094419: ms

Severity: moderate

Vercel ms Inefficient Regular Expression Complexity vulnerability
Affected repositories (15)

#1094500: lodash

Severity: moderate

Regular Expression Denial of Service (ReDoS) in lodash
Affected repositories (2)

#1094544: postcss

Severity: moderate

PostCSS line return parsing error
Affected repositories (47)

#1095091: word-wrap

Severity: moderate

word-wrap vulnerable to Regular Expression Denial of Service
Affected repositories (92)

#1095210: @google-cloud/firestore

Severity: moderate

Logging of the firestore key within nodejs-firestore
Affected repositories (1)

#1095365: semver

Severity: moderate

semver vulnerable to Regular Expression Denial of Service
Affected repositories (3)

#1095366: semver

Severity: moderate

semver vulnerable to Regular Expression Denial of Service
Affected repositories (2)

#1095367: semver

Severity: moderate

semver vulnerable to Regular Expression Denial of Service
Affected repositories (2)

#1095438: jquery

Severity: moderate

jQuery Cross Site Scripting vulnerability
Affected repositories (1)

#1095523: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (1)

#1095524: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (1)

#1096353: follow-redirects

Severity: moderate

Follow Redirects improperly handles URLs in the url.parse() function
Affected repositories (3)

#1096465: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (6)

#1096466: minimist

Severity: moderate

Prototype Pollution in minimist
Affected repositories (9)

#1096478: jquery

Severity: moderate

jQuery Cross Site Scripting vulnerability
Affected repositories (1)

#1096482: semver

Severity: moderate

semver vulnerable to Regular Expression Denial of Service
Affected repositories (96)

#1096483: semver

Severity: moderate

semver vulnerable to Regular Expression Denial of Service
Affected repositories (91)

#1096484: semver

Severity: moderate

semver vulnerable to Regular Expression Denial of Service
Affected repositories (89)

#1096525: axios

Severity: moderate

Axios Cross-Site Request Forgery Vulnerability
Affected repositories (3)

#1096526: axios

Severity: moderate

Axios Cross-Site Request Forgery Vulnerability
Affected repositories (2)

#1096570: ip

Severity: moderate

NPM IP package incorrectly identifies some private IP addresses as public
Affected repositories (3)

#1096571: ip

Severity: moderate

NPM IP package incorrectly identifies some private IP addresses as public
Affected repositories (2)

#1096639: sanitize-html

Severity: moderate

sanitize-html Information Exposure vulnerability
Affected repositories (1)

#1096643: tough-cookie

Severity: moderate

tough-cookie Prototype Pollution vulnerability
Affected repositories (58)

#1096650: jose

Severity: moderate

jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
Affected repositories (1)

#1096692: follow-redirects

Severity: moderate

follow-redirects' Proxy-Authorization header kept across hosts
Affected repositories (8)

#1096693: xml2js

Severity: moderate

xml2js is vulnerable to prototype pollution
Affected repositories (5)

#1085715: braces

Severity: low

Regular Expression Denial of Service in braces
Affected repositories (1)

#1088227: node-forge

Severity: low

Prototype Pollution in node-forge debug API.
Affected repositories (1)

#1088228: node-forge

Severity: low

Prototype Pollution in node-forge util.setPath API
Affected repositories (1)

#1088229: node-forge

Severity: low

URL parsing in node-forge could lead to undesired behavior.
Affected repositories (1)

#1089939: braces

Severity: low

Regular Expression Denial of Service (ReDoS) in braces
Affected repositories (1)

#1091791: node-fetch

Severity: low

The `size` option isn't honored after following a redirect in node-fetch
Affected repositories (1)

#1092605: semver-regex

Severity: low

Regular expression denial of service in semver-regex
Affected repositories (2)

#1093178: apollo-server-core

Severity: low

Prevent logging invalid header values
Affected repositories (1)

#1094515: undici

Severity: low

Undici's cookie header not cleared on cross-origin redirect in fetch
Affected repositories (1)

#1096592: es5-ext

Severity: low

es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
Affected repositories (1)
Source code is licensed under the AGPL.